Quizzes

D Cultural change. A cultural change involves a change in attitudes and mindset.

An organization is changing to a quality assurance program that incorporates a mindset of "quality throughout the process." This is very different from its years of dependence on quality control at the end of the process. This type of change is a A Product change. B Organizational change. C Structural change. D Cultural change.

The codes of conduct must be in writing and displayed in public areas, such as a break room. While it may be beneficial to have a code of conduct in writing, the code does not need to be displayed in all public areas. It should, however, be accessible to employees should they need to refer to it.

Each of the following statements is correct regarding the existence and implementation of codes of conduct except The codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading. The codes of conduct are periodically acknowledged by all employees. The codes of conduct must be in writing and displayed in public areas, such as a break room. Employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior.

C Purchase requisitions, purchase orders, receiving reports, and vendor invoices. Before ordering an item, the purchasing department should have on hand a purchase requisition reflecting an authorized request by a user department. Before a voucher is prepared for paying an invoice, the accounts payable department should have the purchase requisition, a purchase order (to be certain the items were indeed ordered), the vendor's invoice, and a receiving report (to be certain the items were received).

To control purchasing and accounts payable, an information system must include certain source documents. For a manufacturing organization, these documents should include A Receiving reports and vendor invoices. B Purchase requisitions, purchase orders, inventory reports of goods needed, and vendor invoices. C Purchase requisitions, purchase orders, receiving reports, and vendor invoices. D Purchase orders, receiving reports, and vendor invoices.

D Chief audit executive. The chief audit executive must communicate the results of the QAIP to senior management and the board (Attr. Std. 1320).

Following an external assessment of the internal audit activity, who is (are) responsible for communicating the results to the board? A External auditors. B Internal auditors. C Audit committee. D Chief audit executive.

A Data flow diagrams. Data flow diagrams show how data flow to, from, and within the system and the processes that manipulate the data. A data flow diagram can be used to depict lower-level details as well as higher-level processes. A system can be divided into subsystems, and each subsystem can be further subdivided at levels of increasing detail. Thus, any process can be expanded as many times as necessary to show the required level of detail.

Graphical notations that show the flow and transformation of data within a system or business area are called A Data flow diagrams. B Action diagrams. C Conceptual data models. D Program structure charts.

D Horizontal (or systems) flowchart. Flowcharting is a useful tool for systems development as well as understanding the internal control structure. A flowchart is a pictorial diagram of the definition, analysis, or solution of a problem in which symbols are used to represent operations, data flow, equipment, etc. A systems flowchart provides an overall view of the inputs, processes, and outputs of a system, such as a set of interacting departments.

In documenting the procedures used by several interacting departments the internal auditor will most likely use a(n) A Internal control questionnaire. B Vertical flowchart. C Gantt chart. D Horizontal (or systems) flowchart.

1 and 3 only. Internal auditors must exercise due professional care by considering the Extent of work needed to achieve the engagement's objectives Relative complexity, materiality, or significance of matters to which assurance procedures are applied Adequacy and effectiveness of governance, risk management, and control processes Probability of significant errors, fraud, or noncompliance Cost of assurance in relation to potential benefits (Impl. Std. 1220.A1) Assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified (Impl. Std. 1220.A3).

In exercising due professional care, internal auditors must consider which of the following? 1. The relative complexity, materiality, or significance of matters to which assurance procedures are applied 2. The extent of assurance procedures necessary to ensure that all significant risks will be identified 3. The probability of significant errors, irregularities, or noncompliance 2 and 3 only. 1 and 2 only. 1, 2, and 3. 1 and 3 only.

Apply and uphold the principles embodied in The IIA's Code of Ethics The Code includes Principles (integrity, objectivity, confidentiality, and competency) relevant to the profession and practice of internal auditing and Rules of Conduct that describe behavioral norms for internal auditors and that interpret the Principles. Internal auditors are expected to apply and uphold the Principles. Furthermore, that a particular conduct is not mentioned in the Rules does not prevent it from being unacceptable or discreditable.

Today's internal auditor will often encounter a wide range of potential ethical dilemmas, not all of which are explicitly addressed by The IIA's Code of Ethics. If the internal auditor encounters such a dilemma, the internal auditor should always Apply and uphold the principles embodied in The IIA's Code of Ethics. Seek the counsel of the board before deciding on an action. Seek counsel from an independent attorney to determine the personal consequences of potential actions. Act consistently with the code of ethics adopted by the organization even if such action is not consistent with The IIA's Code of Ethics.

A Post the receipts to the accounts receivable subsidiary ledger cards. The cashier is an assistant to the chief financial officer and thus performs an asset custody function. Individuals with custodial functions should not have access to the accounting records. If the cashier were allowed to post the receipts to the accounts receivable subsidiary ledger, an opportunity for embezzlement would arise that could be concealed by falsifying the books.

In a well-designed internal control structure in which the cashier receives remittances from the mail room, the cashier should not A Post the receipts to the accounts receivable subsidiary ledger cards. B Endorse the checks. C Deposit remittances daily at a local bank. D Prepare the bank deposit slip.

A Risk that is not managed. Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event. Such action includes control activities in responding to a risk.

What is residual risk? A Risk that is not managed. B Risk that is under control. C Underlying risk in the environment. D Impact of risk.

A Provide assurance on the management of the risk.

When assessing the risk associated with an activity, an internal auditor should A Provide assurance on the management of the risk. B Update the risk management process based on risk exposures. C Design controls to mitigate the identified risks. Incorrect D Determine how the risk should best be managed.

Assess The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.

Which of the following actions is required of the CAE in regard to the objectivity of internal auditors? Assess. Manage. Maximize. Prioritize.

C Examining and evaluating the adequacy and the effectiveness of control, commensurate with the extent of the potential exposure or risk in the various segments of the organization's operations. Internal auditors are responsible for assisting in the prevention of fraud by examining and evaluating the adequacy and the effectiveness of controls.

Internal auditing is responsible for assisting in the prevention of fraud by A Determining whether operating standards are acceptable and are being met. B Establishing the organization's governance, operations, and information systems concerning compliance with laws, regulations, and contracts. C Examining and evaluating the adequacy and the effectiveness of control, commensurate with the extent of the potential exposure or risk in the various segments of the organization's operations. D Informing the appropriate authorities within the organization and recommending whatever investigation is considered necessary in the circumstances when wrongdoing is suspected.

B A directive from top management stating that internal auditors will be used for all process-improvement projects. A directive does not promote, but requires, the use of internal auditors. The result may be resentment towards the internal auditors and resistance to beneficial change. Education, communication, participation in decisions by those affected, facilitation and support, and negotiation are means of overcoming resistance to change.

Internal auditors can be considered leading agents for change within an organization. Which of the following is not a good way to promote this concept? A A brochure describing what internal auditing can do and the qualifications of the internal auditors. B A directive from top management stating that internal auditors will be used for all process-improvement projects. C Post-engagement questionnaires to obtain information on how engagement clients perceive the internal audit activity. D Bulletins that highlight widespread or universal applications of engagement observations.

C Guiding the ethical conduct of internal auditors. Guiding the ethical conduct of internal auditors is the purpose of the Code of Ethics, not the Standards.

The purposes of the Standards include all of the following except A Establishing the basis for the measurement of internal audit performance. B Fostering improved organizational processes and operations. C Guiding the ethical conduct of internal auditors. D Guiding adherence to the mandatory elements of the IPPF.

C Offer the candidate a position if other staff members possess sufficient knowledge in economics and information technology. Each member of the internal audit activity need not be qualified in all disciplines.

A chief audit executive has reviewed credentials, checked references, and interviewed a candidate for a staff position. The CAE concludes that the candidate has a thorough understanding of internal audit techniques, accounting, and finance. However, the candidate has limited knowledge of economics and information technology. Which action is most appropriate? A Offer the candidate a position despite lack of knowledge in certain essential areas. B Reject the candidate because of the lack of knowledge required by the Standards. C Offer the candidate a position if other staff members possess sufficient knowledge in economics and information technology. D Encourage the candidate to obtain additional training in economics and information technology and then reapply.

D Common shareholders. Common shareholders are not responsible for implementing decisions within the organization. If members of the management team also are common shareholders, they must make decisions consistent with their stewardship function. Thus, they must separate their ownership interests from their managerial responsibilities. Organizational change is conducted through change agents, who may include employees, managers, or outside consultants.

A major corporation is considering significant organizational changes. Which of the following groups will not be responsible for implementing these changes? A Employees. B Outside consultants. C Top management. D Common shareholders.

Supported by periodic appraisals. Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include, among other things, safeguarding of assets (Impl. Std. 2120.A1). Safeguarding assets includes insuring them. The types and amounts of insurance should be supported by periodic appraisals.

To minimize potential financial losses associated with physical assets, the assets should be insured in an amount that is Supported by periodic appraisals. Equal to the book value of the individual assets. Automatically adjusted by an economic indicator such as the consumer price index. Determined by the board of directors.

C Fully evaluate the comprehensiveness of the code and compliance with it and report the results to the board. When evaluating a code of conduct, it is important to consider two items: comprehensiveness and compliance. The code should address the ethical issues that the employees are expected to encounter and provide suitable guidance. The internal auditor also must consider the extent to which employees are complying with the standards established.

A code of conduct was developed several years ago and distributed by a large financial institution to all its officers and employees. What is the internal auditor's best approach to providing the board with the highest level of comfort about the code of conduct? A Fully evaluate organizational practices for compliance with the code and report to the board. B Perform tests on various employee transactions to detect potential violations of the code of conduct. C Fully evaluate the comprehensiveness of the code and compliance with it and report the results to the board. D Review employee activities for compliance with provisions of the code and report to the board.

Change management. Hiring a specialized individual to help with the transition into a new enterprise resource planning application is a way to help manage the change. Thus, this is an example of change management.

A company implements an enterprise resource planning application to help improve its financial and operational reporting while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of Change management. A social event. Segregation of duties. An economic event.

B False representation or concealment of a material fact. Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force."

A key feature that distinguishes fraud from other types of crime or impropriety is that fraud always involves the A Violent or forceful taking of property. B False representation or concealment of a material fact. C Deceitful wrongdoing of management-level personnel. D Unlawful conversion of property that is lawfully in the custody of the perpetrator.

B Evaluate and improve the effectiveness of control processes. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and governance processes (Definition of Internal Auditing).

A major reason for establishing an internal audit activity is to A Safeguard resources entrusted to the organization. B Evaluate and improve the effectiveness of control processes. C Ensure the reliability and integrity of financial and operational information. D Relieve overburdened management of the responsibility for establishing effective controls.

Evaluate and improve the effectiveness of control processes. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and governance processes (Definition of Internal Auditing).

A major reason for establishing an internal audit activity is to Safeguard resources entrusted to the organization. Relieve overburdened management of the responsibility for establishing effective controls. Ensure the reliability and integrity of financial and operational information. Evaluate and improve the effectiveness of control processes.

B Perform an independent evaluation of management's planning process as a basis for making recommendations. Internal auditing is an organizationally independent and individually objective assurance and consulting activity that adds value and improves operations. It evaluates and contributes to the improvement of the organization's governance, risk management, and control processes. Thus, evaluating the planning process is within the broad scope of work of internal auditing.

A manufacturer has been expanding rapidly and is considering adding a new production line. Employees are currently working double shifts and receiving large amounts of overtime pay. Demand for all of the organization's products is currently high, but management worries about demand fluctuations with changes in the economy and technological developments by competitors. Management is concerned with such issues as whether it is efficiently using its resources, whether it is expanding too rapidly or not rapidly enough, whether employee morale is decreasing, and whether future expansion should be financed internally or through debt. Of the following management requests, which is within the normal scope of work of the internal audit activity as stated in the Standards? A Talk with banks to identify financing alternatives and negotiate contract alternatives that will be presented to management for evaluation. B Perform an independent evaluation of management's planning process as a basis for making recommendations. C Analyze financing alternatives and present the alternatives to the audit committee. D Undertake a make-or-buy decision analysis to determine whether the organization should subcontract for part of its manufacturing versus adding capacity. Report the recommendation to management for approval.

C The CAE will report to the audit committee. Independence is effectively achieved when the CAE reports functionally to the board (Inter. Std. 1110). The audit committee is a subset of the boa

A medium-sized publicly owned organization operating in Country X has grown to a size that the governing authority believes warrants the establishment of an internal audit activity. Country X has legislated internal audit requirements for government-owned organizations. The organization changed the bylaws to reflect the establishment of the internal audit activity. The governing authority decided that the chief audit executive (CAE) must be a certified internal auditor and will report directly to the newly established audit committee. Which of the items discussed above will contribute the most to the new CAE's independence? A The CAE is to be a certified internal auditor. B The establishment of the internal audit activity is documented in the bylaws. C The CAE will report to the audit committee. D Country X has legislated internal auditing requirements.

A The internal audit activity violated the Standards by not providing adequate supervision. Rule of Conduct 4.2 under the competency principle requires internal auditing services to be performed in accordance with the Standards. Attr. Std. 1200 requires engagements to be performed with proficiency and due professional care. They also should be properly supervised to ensure that objectives are achieved, quality is assured, and staff is developed (Perf. Std. 2340).

A new staff internal auditor was told to perform an engagement in an area with which the internal auditor was not familiar. Because of time constraints, no supervision was provided. The assignment represented a good learning experience, but the area was clearly beyond the internal auditor's competence. Nonetheless, the internal auditor prepared comprehensive working papers and communicated the results to management. In this situation, A The internal audit activity violated the Standards by not providing adequate supervision. B The Standards and The IIA's Code of Ethics were followed by the internal audit activity. C The internal audit activity violated the Standards by hiring an internal auditor without proficiency in the area. D The chief audit executive has not violated The IIA's Code of Ethics because it does not address supervision.

D Promote an ethical culture among professionals who serve others. The purpose of The IIA's Code of Ethics is "to promote an ethical culture in the profession of internal auditing" (Introduction).

A primary purpose of establishing a code of conduct within a professional organization is to A Reduce the likelihood that members of the profession will be sued for substandard work. B Require members of the profession to exhibit loyalty in all matters pertaining to the affairs of their organization. C Ensure that all members of the profession perform at approximately the same level of competence. D Promote an ethical culture among professionals who serve others.

C 1, 3, and 4 only. A quality assurance and improvement program (QAIP) is designed to provide reasonable assurance that the internal audit activity conforms with the Standards and the Code of Ethics. QAIP processes include appropriate supervision, periodic internal assessments and ongoing monitoring of quality assurance, and periodic external assessments.

A quality assurance and improvement program of an internal audit activity provides reasonable assurance that internal auditing work is performed in accordance with its charter. Which of the following are designed to provide feedback on the effectiveness of an internal audit activity? 1. Proper supervision 2. Proper training 3. Internal reviews 4. External reviews A 2, 3, and 4 only. B 1, 2, 3, and 4. C 1, 3, and 4 only. D 1, 2, and 3 only.

D Ensures the accuracy and completeness of data input. This reconciliation is an input control to verify that data entry is accurate and complete. The parts requested should be consistent with the parts used in the maintenance activities. Unexplained variances should be investigated.

A rental car agency's fleet maintenance division uses a different code for each type of inventory transaction. A daily summary report lists activity by part number and transaction code. The report is reconciled by the parts room supervisor to the day's material request forms and is then forwarded to the fleet manager for approval. The reconciliation of the summary report to the day's material request forms by the parts room supervisor A Confirms that all material request forms are entered for all parts issued. B Provides documentation as to what material was available for a specific transaction. C Verifies that all material request forms were approved. D Ensures the accuracy and completeness of data input.

B Management prepares a detailed analysis of gross margin per store and investigates any store that shows a significantly lower gross margin. Monitoring is a process that assesses the quality of internal control over time. It involves assessment by appropriate personnel of the design and operation of controls and the taking of corrective action. Monitoring can be done through ongoing activities or separate evaluations. Ongoing monitoring procedures are built into the normal recurring activities of an entity and include regular management and supervisory activities. Thus, analysis of gross margin data and investigation of significant deviations is a monitoring process.

A restaurant chain has over 680 restaurants. All food orders for each restaurant are required to be entered into an electronic device that records all food orders by food servers and transmits the order to the kitchen for preparation. All food servers are responsible for collecting cash for all their orders and must turn in cash at the end of their shift equal to the sales value of food ordered for their I.D. number. The manager then reconciles the cash received for the day with the computerized record of food orders generated. All differences are investigated immediately by the restaurant. Organizational headquarters has established monitoring controls to determine when an individual restaurant might not be recording all its revenue and transmitting the applicable cash to the corporate headquarters. Which one of the following is the best example of a monitoring control? A All food orders must be entered on the computer, and segregation of duties is maintained between the food servers and the cooks. B Management prepares a detailed analysis of gross margin per store and investigates any store that shows a significantly lower gross margin. C The restaurant manager reconciles the cash received with the food orders recorded on the computer. D Cash is transmitted to corporate headquarters on a daily basis.

D Provisions for disciplinary action in the event of violations. Penalties for violations of a code of conduct should enhance its effectiveness. Some individuals will be deterred from misconduct if they expect it to be detected and punished.

A review of an organization's code of conduct revealed that it contained comprehensive guidelines designed to inspire high levels of ethical behavior. The review also revealed that employees were knowledgeable of its provisions. However, some employees still did not comply with the code. What element should a code of conduct contain to enhance its effectiveness? A Employee involvement in its development. B Periodic review and acknowledgment by all employees. C Public knowledge of its contents and purpose. D Provisions for disciplinary action in the event of violations.

A Provisions for disciplinary action in the event of violations. Penalties for violations of a code of conduct should enhance its effectiveness. Some individuals will be deterred from misconduct if they expect it to be detected and punished.

A review of an organization's code of conduct revealed that it contained comprehensive guidelines designed to inspire high levels of ethical behavior. The review also revealed that employees were knowledgeable of its provisions. However, some employees still did not comply with the code. What element should a code of conduct contain to enhance its effectiveness? A Provisions for disciplinary action in the event of violations. B Employee involvement in its development. C Periodic review and acknowledgment by all employees. D Public knowledge of its contents and purpose

Visibly participate in a global information security campaign. Through words and actions, management communicates its attitude toward integrity and ethical values. In this way, management sets the tone at the top. By visibly participating in a global information security campaign, management's commitment to the security of company information is evident to all team members.

A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should Refer to the organization's U.S. human resources policies on privacy in a company newsletter. Allocate additional budget resources for external audit services. Visibly participate in a global information security campaign. Review and accept the information security risk assessments in a staff meeting.

A There were no written policies describing prohibited activities and the action required whenever violations are discovered. Management is responsible for establishing and maintaining internal control. Thus, management also is responsible for the fraud prevention program. The control environment element of this program includes a code of conduct, ethics policy, or fraud policy to set the appropriate tone at the top. Moreover, organizations should establish effective fraud-related information and communication practices, for example, documentation and dissemination of policies, guidelines, and results.

A significant employee fraud took place shortly after an internal auditing engagement. The internal auditor may not have properly fulfilled the responsibility for the prevention of fraud by failing to note and report that A There were no written policies describing prohibited activities and the action required whenever violations are discovered. B A system of control that depended upon separation of duties could be circumvented by collusion among three employees. C Divisional employees had not been properly trained to distinguish between bona fide signatures and cleverly forged ones on authorization forms. D Policies, practices, and procedures to monitor activities and safeguard assets were less extensive in low-risk areas than in high-risk areas.

Only storeroom personnel and line supervisors have access to the raw materials storeroom Storeroom personnel have custody of assets, and supervisors are in charge of execution functions. To give supervisors access to the raw materials storeroom is a violation of the essential internal control principle of segregation of functions.

A system of internal control includes physical controls over access to and use of assets and records. A departure from the purpose of such procedures is that Only storeroom personnel and line supervisors have access to the raw materials storeroom. Access to the safe-deposit box requires two officers. The mailroom compiles a list of the checks received in the incoming mail. Only salespersons and sales supervisors use sales department vehicles.

A manager within the department. A manager within a particular department is best suited to devise and execute risk procedures for that department because (s)he generally has the most knowledge and expertise about the individual risks that threaten the department's objectives. Additionally, (s)he will be able to ensure that the procedures are carried out on a day-to-day basis.

According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is A manager within the department. The audit committee. The internal audit department. The chief executive officer.

B Internal environment. The internal environment component sets the tone of the entity. It reflects the entity's (1) risk management philosophy, (2) risk appetite, (3) integrity, (4) ethical values, and (5) overall environment.

According to COSO, which of the following components of enterprise risk management addresses an entity's integrity and ethical values? A Risk assessment. B Internal environment. C Control activities. D Information and communication.

Demonstrating appropriate behavior by example. Through words and actions, management communicates its attitude toward integrity and ethical values. In this way, management sets the tone at the top. Demonstrating appropriate behavior by example is the most effective method to transmit a message of ethical behavior throughout an organization.

According to COSO, which of the following is the most effective method to transmit a message of ethical behavior throughout an organization? Demonstrating appropriate behavior by example. Strengthening internal audit's ability to deter and report improper behavior. Removing pressures to meet unrealistic targets, particularly for short-term results. Specifying the competence levels for every job in an organization and translating those levels to requisite knowledge and skills.

B Performance Standards. The mandatory guidance portion of the IPPF consists of the Core Principles, Definition of Internal Auditing, the Code of Ethics, Attribute Standards, Performance Standards, and Implementation Standards.

According to The IIA's International Professional Practices Framework, which of the following constitute mandatory guidance for implementing the Standards? A Development Aids. B Performance Standards. C Practice Aids. D Implementation Guides.

D Expand activities to determine whether an investigation is warranted. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

After noting some red flags, an internal auditor has an increased awareness that fraud may be present. Which of the following best describes the internal auditor's responsibility? A Consult with external legal counsel to determine the course of action to be taken, including the approval of the proposed engagement work program to make sure it is acceptable on legal grounds. B Report the possibility of fraud to senior management and the board and ask them how they would like to proceed. C Report the matter to the audit committee and request funding for outside service providers to help investigate the possible fraud. D Expand activities to determine whether an investigation is warranted.

C The internal audit charter should be amended. The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter (Attr. Std. 1000). The nature of consulting services must be defined in the internal audit charter (Impl. Std. 1000.C1).

After the chief audit executive receives approval from the board to offer consulting services, what should be done? A The CAE should begin performing consulting services. B The CAE should get approval from the internal auditors. C The internal audit charter should be amended. D The board should develop appropriate policies and procedures for conducting such engagements.

D To outline criteria for professional behavior to maintain standards of integrity and objectivity. The primary purpose of a code of ethical behavior for a professional organization is to promote an ethical culture among professionals who serve others.

An accounting association established a code of ethics for all members. What is one of the association's primary purposes of establishing the code of ethics? A To provide a framework within which accounting policies could be effectively developed and executed. Graded B To outline criteria that can be used in conducting interviews of potential new accountants. C To establish standards to follow for effective accounting practice. D To outline criteria for professional behavior to maintain standards of integrity and objectivity.

D Reviewing systems of control before implementation. The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented.

An activity appropriately performed by the internal audit activity is A Installing systems of control. B Drafting procedures for systems of control. C Designing systems of control. D Reviewing systems of control before implementation.

A Goods received are counted and compared with quantities on purchase order and receiving reports. Detective controls are designed to detect and correct undesirable events that have occurred. Accounting for all goods received and comparing quantities on purchase orders and receiving reports is an example.

An adequate and effective system of internal control provides reasonable assurance that objectives will be achieved. Controls may be preventive, detective, or directive. Which of the following is a detective control for the procurement function? A Goods received are counted and compared with quantities on purchase order and receiving reports. B Review and approval of each procurement action is required prior to the final issuance of a purchase order. C Prenumbered standard purchase order forms include all relevant terms required to be used in all applicable instances. D The procurement function is organizationally separate from receiving, disbursing, and accounting.

C Ascertain if the feasibility study addresses cost-benefit relationships. Assessing the adequacy of a feasibility study is properly within the scope of work of internal audit. The other three choices involve internal audit participation in decisions that are properly those of management.

An appropriate internal auditing role in a feasibility study is to A Serve on the task force for the preliminary survey. B Determine the requirements for preparing a manual of specifications. C Ascertain if the feasibility study addresses cost-benefit relationships. D Participate in the drafting of recommendations for the computer acquisition and implementation.

C Access to records, personnel, and physical properties relevant to the performance of engagements. The charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive's functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities (Inter. Attr. Std. 1000).

An element of authority that must be included in the charter of the internal audit activity is A Access to the external auditor's engagement records. B Identification of the organizational units where engagements are to be performed. C Access to records, personnel, and physical properties relevant to the performance of engagements. D Identification of the types of disclosures that should be made to the board.

A The employee could pledge organizational investments as security for a short-term personal bank loan. The bank should maintain a record, which can be inspected by organizational personnel, of all safe deposit box visits. Access should be limited to authorized officers. Organizations typically require the presence of two authorized persons for access to the box. This precaution provides supervisory control over, for example, the temporary removal of the securities to serve as a pledge for a loan (hypothecation of securities).

An employee should not be able to visit the organization's safe deposit box containing investment securities without being accompanied by another employee. What would be a possible consequence of an employee's being able to visit the safe deposit box unaccompanied? A The employee could pledge organizational investments as security for a short-term personal bank loan. B The employee could steal securities and the theft would never be discovered. C It would be impossible to obtain a fidelity bond on the employee. D There would be no record of when organizational personnel visited the safe deposit box.

C Items for cycle count are selected by stockroom personnel. The opportunity for fraud has been increased because stockroom personnel select the items for cycle count (poor internal control). Selection of items should be based on relative values or the relationship of an item to the total volume of transactions. Moreover, personnel who do not have custodial or recordkeeping responsibilities should control the counts.

An engagement had been scheduled by the chief audit executive to address unusual inventory shortages revealed in the annual physical inventory process at a large consumer goods warehouse operation. A cycle count program had been installed in the storeroom at the beginning of the year in place of the disruptive process of counting one entire product line at the end of each month. The cycle count program appeared effective because only nine minor adjustments had been made for the entire year on the several thousand different products located in the storeroom. The storeroom supervisor explained that each of the 15 stockroom personnel selected one item each day for cycle count based on how efficiently the item could be counted. The opportunity for control-related problems including fraud has been increased in the stockroom because A Stockroom personnel record cycle count information. B A cycle count program has been installed in place of a less efficient program. C Items for cycle count are selected by stockroom personnel. D Only nine minor adjustments have been recorded as a result of the cycle count process.

A Whether existing procedures within the internal audit activity provide for proper planning and quality assurance. The CAE should examine departmental procedures and the conduct of the specific engagement mentioned to ascertain that proper planning and quality assurance procedures are in place and are being followed.

An individual became head of the internal audit activity of an organization 1 week ago. An engagement client has come to the person complaining vigorously that one of the internal auditors is taking up an excessive amount of client time on an engagement that seems to be lacking a clear purpose. In handling this conflict with a client, the person should consider A Whether existing procedures within the internal audit activity provide for proper planning and quality assurance. B Promising the client that the internal auditor will finish the work within 1 week. C Discounting what is said, but documenting the complaint. D Presenting an immediate defense of the internal auditor based upon currently known facts.

B One internal auditor told the review team that, during an engagement to review the payroll function, the payroll manager approached the auditor. The manager indicated the need for an accountant to prepare financial statements for the manager's part-time business. The internal auditor agreed to perform this work for a reduced fee during non-work hours. An internal auditor is not to accept a fee, gift, or entertainment from an employee, client, customer, supplier, or business associate that may create the appearance that the auditor's objectivity has been impaired.

An internal audit activity is currently undergoing its first external quality assurance review since its formation 3 years ago. From interviews, the review team is informed of certain internal auditor activities over the past year. Which of the following activities could affect the quality assurance review team's evaluation of the objectivity of the internal auditors? A An internal auditor's participation was requested on a task force to reduce the organization's inventory losses from theft and shrinkage. This is the first consulting assignment undertaken by the internal audit activity. The internal auditor's role is to advise the task force on appropriate control procedures. B One internal auditor told the review team that, during an engagement to review the payroll function, the payroll manager approached the auditor. The manager indicated the need for an accountant to prepare financial statements for the manager's part-time business. The internal auditor agreed to perform this work for a reduced fee during non-work hours. C During an engagement to review the construction of a building addition to the organization's headquarters, the vice president of facilities management gave the internal auditor a commemorative mug with the organization's logo. These mugs were distributed to all employees present at the ground-breaking ceremony. D After reviewing the installation of a data processing system, the internal auditor made recommendations on standards of control. Three months after completion of the engagement, the engagement client requested the internal auditor's review of certain procedures for adequacy. The internal auditor agreed and performed this review

C Attesting to the fairness of presentation of cash position. Professional standards place sole responsibility for the attest function on the external auditors. Only the external auditors have the necessary independence to permit the provision of assurance to external parties. Unlike circumstances in which the external auditors use the work of other independent auditors, the responsibility cannot be shared with the internal auditors.

An internal audit activity is often requested to coordinate its work with that of the external auditors. Which of the following activities is most likely to be restricted to the external auditor? A Reviewing the system established to ensure compliance with laws, regulations, and contracts. B Evaluating the system of controls over cash collections and similar transactions. C Attesting to the fairness of presentation of cash position. D Evaluating the adequacy of the organization's overall system of internal controls.

B Analyze a system and identify internal controls. Flowcharting is a tool commonly used to learn what set of procedures is supposed to be in effect in a control system. An internal control flowchart is a pictorial diagram of documents and their processing and disposition within the system. It is a basis for preliminary evaluation and is followed by testing to see if the prescribed procedures are in effect and are working as intended.

An internal auditor develops a flowchart primarily to A Determine functional responsibilities. B Analyze a system and identify internal controls. C Reduce the need for interviewing auditee personnel. D Detect errors and irregularities.

B Preparing the personal tax return, for a fee, for one of the organization's division managers. Rule of Conduct 2.2 under the objectivity principle states, "Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment." Preparing a personal tax return for a division manager for a fee falls under this prohibition.

An internal auditor engages in the preparation of income tax forms during the tax season. For which of the following activities will the internal auditor most likely be in violation of The IIA's Code of Ethics? A Teaching an evening tax seminar, for a fee, at a local university. B Preparing the personal tax return, for a fee, for one of the organization's division managers. C Preparing tax returns for elderly citizens, regardless of their associations, as a public service. D Writing a tax guide intended for publication and sale to the general public.

C Has violated the Standards because the internal auditor should inform the appropriate authorities in the organization if fraud may be indicated. The internal auditor should inform the appropriate authorities in the organization if the indicators of the commission of a fraud are sufficient to recommend an investigation. Thus, the internal auditor has a duty to act even though the available facts do not prove that an irregularity has occurred. Moreover, Rule of Conduct 2.3 states, "Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review."

An internal auditor has uncovered facts that could be interpreted as indicating unlawful activity on the part of an engagement client. The internal auditor decides not to inform senior management and the board of these facts because of lack of proof. The internal auditor, however, decides that, if questions are raised regarding the omitted facts, they will be answered fully and truthfully. In taking this action, the internal auditor A Has not violated The IIA's Code of Ethics or the Standards because confidentiality takes precedence over all other standards. B Has not violated The IIA's Code of Ethics or the Standards because the internal auditor is committed to answering all questions fully and truthfully. C Has violated the Standards because the internal auditor should inform the appropriate authorities in the organization if fraud may be indicated. D Has violated The IIA's Code of Ethics because unlawful acts should have been reported to the appropriate regulatory agency to avoid potential "aiding and abetting" by the internal auditor.

B Develop a program that identifies procedures performed on an individual in excess of expectations based on the age of the employee, whether a similar procedure was performed recently, or the average cost per claim. Under this detective control, unusual claims could be identified and followed up to determine if they are legitimate. This control is a type of IT input control known as a reasonableness test.

An internal auditor is assigned to perform an engagement to evaluate the organization's insurance program, including the appropriateness of the approach to minimizing risks. The organization self-insures against large casualty losses and health benefits provided for all its employees. The organization is a large national firm with over 15,000 employees located in various parts of the country. It uses an outside claims processor to administer its healthcare program. The organization's medical costs have been rising by approximately 8% per year for the past 5 years, and management is concerned with controlling these costs. The healthcare processor wishes to implement controls that would help prevent fraud by dentists who are submitting billings for services not provided. Assume further that all the claims are submitted electronically to the healthcare processor. Which of the following control procedures would be the most effective? A Develop an integrated test facility and submit false claims to verify that the system is detecting such claims on a consistent basis. B Develop a program that identifies procedures performed on an individual in excess of expectations based on the age of the employee, whether a similar procedure was performed recently, or the average cost per claim. C Require all submitted claims to be accompanied by a signed statement by the dentist testifying that the claimed procedures were performed. D Send confirmations to the dentists requesting them to confirm the exact nature of the claims submitted to the healthcare processor.

B Participation by the managers in the decision process.

An internal auditor is conducting an operational review that affects several different functional units. The auditor believes that the process under review can be improved, but the operating managers are resistant to suggestions for change. There are several methods the auditor could use to overcome the operating managers' resistance. Identify the technique that will produce the highest probability of success with the fewest negative side effects. A Negotiation with the operating managers. B Participation by the managers in the decision process. C Coercion of the managers through threats. D Cooperation by approaching each manager individually.

B One of the division's major competitors went out of business during the year. A decrease in the number of competitors during the year is a potential explanation for the increase in sales and profits.

An internal auditor is investigating the performance of a division with an unusually large increase in sales, gross margin, and profit. Which of the following indicators is least likely to indicate the possibility of sales-related fraud in the division? A A significant portion of divisional management's compensation is based on reported divisional profits. B One of the division's major competitors went out of business during the year. C The internal auditor has taken a random sample of sales invoices but cannot locate a shipping document for a number of the sales transactions selected for November and December. D There is an unusually large amount of sales returns recorded after year end.

C A statement requiring board review of each transaction because of the risk involved in such transactions. A policy requiring board review of every derivatives transaction is cost ineffective. Management is responsible for daily operations and is expected to conform to the policies of the board.

An internal auditor is reviewing the organization's policy regarding investing in financial derivatives. The internal auditor normally expects to find all of the following in the policy except A A specific authorization limit for the amount and types of derivatives that can be used by the organization. B A specific limit on the amount authorized for any single trader. C A statement requiring board review of each transaction because of the risk involved in such transactions. D A statement indicating whether derivatives are to be used for hedging or speculative purposes.

Adverse effects related to the item are likely to occur. Internal auditors must exercise due professional care by considering the relative complexity, materiality, or significance of matters to which assurance procedures are applied (Impl. Std. 1220.A1). Materiality judgments are made in the light of all the circumstances and involve qualitative as well as quantitative considerations. Moreover, internal auditors also must consider the interplay of risk with materiality. Consequently, engagement effort may be required for a quantitatively immaterial item if adverse effects are likely to occur, for example, a material contingent liability arising from an illegal payment that is otherwise immaterial.

An internal auditor judged an item to be immaterial when planning an assurance engagement. However, the assurance engagement may still include the item if it is subsequently determined that Adverse effects related to the item are likely to occur. Related information is reliable. Sufficient staff is available. Miscellaneous income is affected.

A Write-offs of delinquent accounts. The accounts receivable manager has the ability to perpetrate irregularities because (s)he performs incompatible functions. Authorization and recording of transactions should be separate. Thus, someone outside the accounts receivable department should authorize write-offs.

An internal auditor noted that the accounts receivable department is separate from other accounting activities. Credit is approved by a separate credit department. Control accounts and subsidiary ledgers are balanced monthly. Similarly, accounts are aged monthly. The accounts receivable manager writes off delinquent accounts after 1 year, or sooner if a bankruptcy or other unusual circumstances are involved. Credit memoranda are prenumbered and must correlate with receiving reports. Which of the following areas could be viewed as an internal control weakness of the above organization? A Write-offs of delinquent accounts. B Credit approvals. C Handling of credit memos. D Monthly aging of receivables.

A Move the small tools inventory to the custody of the production inventory staging superintendent and implement the use of a special requisition to issue small tools. Minimizing the loss of assets requires a preventive control. Giving responsibility for custody of small tools to one individual establishes accountability. Requiring that requisitions be submitted ensures that their use is properly authorized

An internal auditor notes year-to-year increases for small tool expense at a manufacturing facility that has produced the same amount of identical product for the last 3 years. Production inventory is kept in a controlled staging area adjacent to the receiving dock, but the supply of small tools is kept in an unsupervised area near the exit to the plant employees' parking lot. After determining that all of the following alternatives are equal in cost and are also feasible for local management, the internal auditor would best address the security issue by recommending that plant management A Move the small tools inventory to the custody of the production inventory staging superintendent and implement the use of a special requisition to issue small tools. B Place supply of small tools in a secured area, install a key-access card system for all employees, and record each key-access transaction on a report for the production superintendent. C Close the exit to the employee parking lot and require all plant employees to use a doorway by the receiving dock that also provides access to the plant employees' parking area. D Initiate a full physical inventory of small tools on a monthly basis.

The IIA Standards do not apply outside of the United States. Pronouncements by The IIA have no geographic limits. Compliance with the concepts in the Standards is essential for the responsibilities of internal auditors to be met, regardless of the national environment.

An internal auditor often faces special problems when performing an engagement at a foreign subsidiary. Which of the following statements is false with respect to the conduct of international engagements? There may be justification for having different organizational policies in force in foreign branches. The IIA Standards do not apply outside of the United States. It is preferable to have multilingual internal auditors conduct engagements at branches in foreign nations. The internal auditor should determine whether managers are in compliance with local laws.

D Are a good guide to potential segregation of duties. Systems flowcharts are overall graphic analyses of the flow of data and the processing steps in an information system. Accordingly, they can be used to show segregation of duties and the transfer of data between different segments in the organization.

An internal auditor reviews and adapts a systems flowchart to understand the flow of information in the processing of cash receipts. Which of the following statements is true regarding the use of such flowcharts? The flowcharts A Show only computer processing, not manual processing. B Are generally kept up to date for systems changes. C Show specific control procedures used, such as edit tests that are implemented and batch control reconciliations. D Are a good guide to potential segregation of duties.

D Evaluate fraud indicators and decide whether further action is necessary. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

An internal auditor suspects that a mailroom clerk is embezzling funds. In exercising due professional care, the internal auditor should A Institute stricter controls over mailroom operations. B Reassign the clerk to another department. C Confront the clerk with the auditor's suspicions. D Evaluate fraud indicators and decide whether further action is necessary.

Take action consistent with the principles embodied in The IIA's Code of Ethics. The IIA's Code of Ethics is based on principles relevant to the profession and practice of internal auditing that internal auditors are expected to apply and uphold: integrity, objectivity, confidentiality, and competency. Furthermore, the Code states that particular conduct may be unacceptable or discreditable even if it is not mentioned in the Rules of Conduct.

An internal auditor who encounters an ethical dilemma not explicitly addressed by The IIA's Code of Ethics should always Act consistently with the employing organization's code of ethics even if such action would not be consistent with The IIA's Code of Ethics. Seek the counsel of the audit committee before deciding on an action. Seek counsel from an independent attorney to determine the personal consequences of potential actions. Take action consistent with the principles embodied in The IIA's Code of Ethics.

Until at least 1 year has elapsed. Persons transferred to, or temporarily engaged by, the internal audit activity should not be assigned to audit activities they previously performed until at least 1 year has elapsed. Such assignments are presumed to impair objectivity.

An internal auditor who had been supervisor of the accounts payable section should not perform an assurance review of that section Until after the next annual review by the external auditors. Until it is clear that the new supervisor has assumed the responsibilities. Until at least 1 year has elapsed. Because a reasonable period of time in which to establish independence cannot be determined.

D Recommend an investigation if appropriate An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

An internal auditor who suspects fraud should A Identify the employees who could be implicated in the case. B Determine that a loss has been incurred. C Interview those who have been involved in the control of assets. D Recommend an investigation if appropriate.

B Drafting operating procedures for the new system. An internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, drafting procedures for, or operating systems, however, are presumed to impair the internal auditor's objectivity. Such services may create a conflict of interest, a situation in which internal auditors have a competing professional or personal interest. This may create an appearance of impropriety that undermines confidence in the internal audit activity (Inter. Attr. Std. 1120).

An organization is planning to develop and implement a new computerized purchase order system in one of its manufacturing subsidiaries. The vice president of manufacturing has requested that internal auditors participate on a team consisting of representatives from finance, manufacturing, purchasing, and marketing. This team will be responsible for the implementation effort. Eager to take on this high profile project, the chief audit executive assigns a senior internal auditor to the project to assist "as needed." Assuming the senior internal auditor performed all of the following activities, which one will impair objectivity if the internal auditor is asked to review the purchase order system on a post-engagement basis? A Helping to identify and define control objectives. B Drafting operating procedures for the new system. C Testing for compliance with system development standards. D Evaluate risk exposures of systems and programming standards.

C Establishing a proper organizational culture and specifying a system of internal control. Senior management is primarily responsible for establishing a proper organizational culture and specifying a system of internal control

An organization's directors, management, external auditors, and internal auditors all play important roles in creating a proper control environment. Senior management is primarily responsible for A Implementing and monitoring controls designed by the board of directors. B Designing and operating a control system that provides reasonable assurance that established objectives and goals will be achieved. C Establishing a proper organizational culture and specifying a system of internal control. D Ensuring that external and internal auditors adequately monitor the control environment.

B The organization's environment. The environment of an organization consists of external forces outside its direct control that may affect its performance. These forces include competitors, suppliers, customers, regulators, climate, culture, politics, technological change, and many other factors.

An organization's management perceives the need to make significant changes. Which of the following factors is management least likely to be able to change? A The organization's technology. B The organization's environment. C The organization's structure. D The organization's members.

A Total asset turnover. The total asset turnover ratio equals sales divided by total assets. An increase in reported inventory will increase total assets and decrease the ratio.

An unexpected decrease in which of the following ratios could indicate that fictitious inventory has been recorded? A Total asset turnover. B Current. C Average collection period. D Price-earnings.

Inform audit management and ask for direction on whether to accept the gift. Internal auditors are not to accept fees, gifts, or entertainment from an employee, client, customer, supplier, or business associate that may create the appearance that the auditor's objectivity has been impaired. The status of engagements is not to be considered as justification for receiving fees, gifts, or entertainment. Internal auditors are to report immediately the offer of all material fees or gifts to their supervisors.

As part of a company-sponsored award program, an internal auditor was offered an award of significant monetary value by a division in recognition of the cost savings that resulted from the auditor's recommendations. According to the International Professional Practices Framework, what is the most appropriate action for the auditor to take? Decline the gift and advise the division manager's superior. Accept the gift because the engagement is already concluded and the report issued. Inform audit management and ask for direction on whether to accept the gift. Accept the award under the condition that any proceeds go to charity.

D Feedback control. A feedback control measures actual performance, something that has already occurred, to ensure that a desired future state is attained. It is used to evaluate the past to improve future performance. Inspecting finished goods, monitoring product returns, and evaluating complaints are post-action controls intended to eliminate deviations in future cycles of the process under control.`

As part of a total quality control program, a firm not only inspects finished goods but also monitors product returns and customer complaints. Which type of control best describes these efforts? A Feedforward control. B Inventory control. C Production control. D Feedback control.

B Consultative. A consultative attitude leads to two-way communication. Consultation considers the client's viewpoint, helps to dispel fear and mistrust, and demonstrates the value of internal auditing to the client.

As part of the process to improve internal auditor-engagement client relations, it is very important to deal with how the internal audit activity is perceived. Certain types of attitudes in the work performed will help create these perceptions. From a management perspective, which attitude is likely to be the most conducive to a positive perception? A Interrogatory. B Consultative. C Objective. D Investigative.

As part of the evaluation of the coordination between the internal and external auditors. The CAE is responsible for regular evaluations of the coordination between internal and external auditors. Such evaluations may also include assessments of the overall efficiency and effectiveness of internal and external audit activities, including aggregate audit cost. The CAE communicates the results of these evaluations to senior management and the board, including relevant comments about the performance of external auditors.

Assessments of the work of external auditors may be made by the chief audit executive When the external auditor is appointed. When the CAE oversees their work. When their work is relied upon by the internal auditors. As part of the evaluation of the coordination between the internal and external auditors.

D Use and accountability of prenumbered checks. A completeness assertion relates to whether all transactions and accounts that should be presented in the financial statements are so presented. The exclusive use of sequentially numbered documents facilitates control over expenditures. An unexplained gap in the sequence alerts the auditor to the possibility that not all transactions have been recorded. A failure to use prenumbered checks would therefore suggest a higher assessment of control risk. If a company uses prenumbered checks, it should be easy to determine exactly which checks were used during a period.

Auditors document their understanding of internal control with questionnaires, flowcharts, and narrative descriptions. A questionnaire consists of a series of questions concerning controls that auditors consider necessary to prevent or detect errors and fraud. The most appropriate question designed to contribute to the auditors' understanding of the completeness of the expenditure (purchases-payables) cycle concerns the A Disposition of cash receipts. B Internal verification of quantities, prices, and mathematical accuracy of sales invoices. C Qualifications of accounting personnel. D Use and accountability of prenumbered checks.

B Requiring a specific mail clerk to list and restrictively endorse each check. An employee who does not have access to other records should open the mail and prepare a list of checks received. The check listing will later be reconciled with the daily bank deposit and entries to accounts receivable. A restrictive endorsement ("for deposit only") will put transferees on notice to act accordingly (that is, deposit the check in the organization's account).

Checks from customers are received in the organization's mail room each day. What controls should be in place to safeguard them? A Forwarding all checks to the cashier upon receipt. B Requiring a specific mail clerk to list and restrictively endorse each check. C Providing bonding protection for mail clerks. D Establishing a separate post office box for customer payments.

A The chief audit executive.

Coordination of internal and external auditing can reduce the overall costs. Who is responsible for actual coordination of internal and external auditing efforts? A The chief audit executive. B The external auditor. C Management. D The board

A Establishing and maintaining an organizational culture. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that goals and objectives will be achieved. Management periodically reviews its objectives and goals and modifies its processes to accommodate changes in internal and external conditions. Management also establishes and maintains an organizational culture, including an ethical climate that fosters control.

Directors, management, external auditors, and internal auditors all play important roles in creating proper control processes. Senior management is primarily responsible for A Establishing and maintaining an organizational culture. B Implementing and monitoring controls designed by the board of directors. C Ensuring that external and internal auditors oversee the administration of the system of risk management and control processes. D Reviewing the reliability and integrity of financial and operational information.

C Comparison of invoices with purchase orders or contracts. This detective control would have revealed that the contractor's invoice used a unit of measure different from that in the contract. Thus, the basis of payment was not what was called for in this unit-price contract.

During an engagement involving a construction contract, the internal auditor discovered that the contractor was being paid for each ton of dirt removed. The contract called for payment based on cubic yards removed. Which internal control might have prevented this error? A Comparison of actual costs with budgeted costs. B Comparison of invoices with receiving reports. C Comparison of invoices with purchase orders or contracts. D Extension checks of invoice amounts.

D The initiation of a conflict-of-interest policy. A policy is one means of achieving control. It is a general guide to and limit on action that should be clearly stated in writing and systematically communicated to appropriate parties. A conflict-of-interest policy should contain directives that restrict business dealings with relatives unless otherwise disclosed to and approved by senior management.

During an engagement involving a purchasing department, an internal auditor discovered that many purchases were made (at normal prices) from an office supplier whose owner was the brother of the director of purchasing. Controls were in place to restrict such purchases and no fraud appears to have been committed. In this case, the internal auditor should recommend A The development of an approved-vendor file initiated by the buyer and approved by the director of purchasing. B The inspection of all receipts by receiving inspectors. C Establishment of a price policy (range) for all goods. D The initiation of a conflict-of-interest policy.

D Report the override of control to the board. Rule of Conduct 2.3 under the objectivity principle states, "Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review." The management override of an important control over approval of grants created a material risk exposure. The internal auditor is ethically obligated to report the matter to senior officials charged with performing the governance function.

During an examination of grants awarded by a not-for-profit organization, an internal auditor discovered a number of grants made without the approval of the grant authorization committee (which includes outside representatives), as required by the organization's charter. All the grants, however, were approved and documented by the president. The chair of the grant authorization committee, who is also a member of the board of directors, proposes that the committee meet and retroactively approve all the grants before the engagement communication is issued. If the committee meets and approves the grants before such issuance, the internal auditor should A Include the items in the communication as an override of the organization's controls. Details about each grant should be reported, and the internal auditor should investigate further for fraud. Graded B Discuss the matter with the chair of the grant committee to determine the rationale for not approving the grants earlier. If the grants are routine, discussion of the grant committee's inaction should be omitted from the engagement communication. C Not report the grants in question because they were approved before the issuance of the engagement communication. D Report the override of control to the board.

B Both a violation of The IIA's Code of Ethics AND a violation of the reporting requirements in the Standards. Under the Standards, internal auditors should communicate engagement results. Rule of Conduct 4.2 states, "Internal auditors shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing." Rule of Conduct 2.3 under the objectivity principle states, "Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review." Hence, the failure to report violates The IIA's Code of Ethics and the Standards.

During the course of an engagement, an internal auditor discovered that a research and development employee has been patenting new developments that are unrelated to the basic business of the organization. The organization does not have a specific policy addressing patents on developments that are not related to its basic business, but it has a general policy that all important new discoveries by employees are the property of the organization. The employee is considered one of the most prestigious in the field. The employee's actions have been condoned by local management as an extra incentive to keep the employee at the lab. A decision not to report the employee's action is A A violation of the reporting requirements in the Standards. B Both a violation of The IIA's Code of Ethics AND a violation of the reporting requirements in the Standards. C A violation of The IIA's Code of Ethics. D Justified because divisional management is aware of the practice, and it is not in violation of organizational policies.

C Lack of competence in this area. Rule of Conduct 4.1 under the competency principle states, "Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience." Internal auditors may not have, and are not expected to have, knowledge equivalent to that of a person whose primary responsibility is to detect and investigate fraud (Impl. Std. 1210.A2).

During the course of an engagement, an internal auditor discovers that a clerk is embezzling funds from the organization. Although this is the first embezzlement ever encountered and the organization has a security department, the internal auditor decides to interrogate the suspect. If the internal auditor is violating The IIA's Code of Ethics, the rule violated is most likely A Failing to comply with the law. B Failing to exercise due diligence. C Lack of competence in this area. D Lack of loyalty to the organization.

Consider the specific circumstances before deciding whether to disclose the reasons for the information request. At times, an internal auditor may be asked by the engagement client or other parties to explain why a document that has been requested is relevant to an engagement. Disclosure or nondisclosure during the engagement of the reasons documents are needed should be determined based on the circumstances. Significant irregularities may dictate a less open environment than would normally contribute to a cooperative engagement. However, that is a judgment that should be made by the chief audit executive in light of the specific circumstances. Moreover, the internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results (Impl. Std. 1110.A1).

During the performance of an engagement to evaluate a division's controls over purchasing, the chief purchasing agent asked why the internal auditor had requested documents pertaining to transactions with a particular supplier. The internal auditor's proper response is to Consider the specific circumstances before deciding whether to disclose the reasons for the information request. Explain the reasons for the information request to promote cooperation with the engagement client. Refuse to explain the information request to preserve the integrity of the engagement process. Treat the inquiry as a scope limitation.

B Detailed cost-benefit analysis of the internal audit activity. The external assessment has a broad scope of coverage that includes (1) conformance with the Code of Ethics and the Standards evaluated by review of the internal audit activity's charter, plans, policies, procedures, practices, and applicable legislative and regulatory requirements; (2) the expectations of the internal audit activity expressed by the board, senior management, and operational managers; and (3) the efficiency and effectiveness of the internal audit activity (IG 1312). However, the costs and benefits of internal auditing are neither easily quantifiable nor the subject of an external assessment.

External assessment of an internal audit activity is not likely to evaluate A Adherence to the internal audit activity's charter. B Detailed cost-benefit analysis of the internal audit activity. C Conformance with the Standards. D The internal audit staff's expertise.

A Administratively to the president and functionally to the board. The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities (Attr. Std. 1110). The chief audit executive (CAE), reporting functionally to the board and administratively to the organization's chief executive officer, facilitates organizational independence .

Fact Pattern: A service organization is currently experiencing a significant downsizing and process reengineering. Its board of directors has redefined the business goals and established initiatives using in-house developed technology to meet these goals. As a result, a more decentralized approach has been adopted to run the business functions by empowering the business branch managers to make decisions and perform functions traditionally done at a higher level. The internal auditing staff is made up of the chief audit executive, two managers, and five staff auditors, all with financial background. In the past, the primary focus of successful internal audit activities has been the service branches and the six regional division headquarters that support the branches. These division headquarters are the primary targets for possible elimination. The support functions such as human resources, accounting, and purchasing will be brought into the national headquarters, and technology will be enhanced to enable and augment these operations. Up to this point, the internal audit activity has reported to the chief operating officer. Due to the significant changes, there has been some discussion as to changing this reporting relationship. What would be the best reporting relationship? A Administratively to the president and functionally to the board. B Administratively to the chief financial officer and functionally to the president. C Administratively and functionally to the chief operating officer. D Administratively and functionally to the president.

C Was exercised because the internal auditor applied reasonable care and competence in both areas. Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. Thus, due professional care requires the internal auditor to conduct examinations and verifications to a reasonable extent. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance needs to be considered whenever the internal auditor undertakes an internal audit assignment. Accordingly, the work performed with regard to facilities usage and staffing was adequate and would withstand normal scrutiny.

Fact Pattern: A staff internal auditor performed a portion of an engagement to review an organization's marketing function. In particular, the internal auditor evaluated the function's effective and efficient use of resources to identify 1. Underused facilities 2.Overstaffing or understaffing 3.Nonproductive work 4.Procedures that were not cost justified To test for underused facilities, the internal auditor performed a complete walk-through of all spaces assigned to the marketing function and evaluated the use of both space and capital equipment. The internal auditor analyzed reports on space usage for the last year and concluded that facilities were neither underused nor used at maximum capacity. To test for overstaffing or understaffing, the internal auditor compared current staffing levels with a staffing analysis recently completed by an independent contractor. Because the staffing analysis used work standards and service demands to provide factual and reliable information on staffing requirements, the internal auditor was able to conclude that staffing levels were optimal. To test for nonproductive work, the internal auditor interviewed an employee from each level and, based upon their responses, concluded that no significant amount of nonproductive work was being performed. Thus, the internal auditor concluded that additional engagement work to search for procedures that were not cost-justified would not be necessary. In reference to requirements 1 and 2, due professional care A Was not exercised because the internal auditor failed to apply reasonable care regarding requirement 1. B Was not exercised because the internal auditor failed to apply reasonable care regarding requirements 1 and 2. C Was exercised because the internal auditor applied reasonable care and competence in both areas. D Was not exercised because the internal auditor failed to apply reasonable care regarding requirement 2.

D A report of all new employees added be approved by someone outside of the payroll department. Also, a report showing all employees and hours worked should be sent to the supervisor's department for review. The payroll department has a recording function. It should not authorize pay rate changes or the addition or deletion of employees from the payroll. Accordingly, authorization of such changes should be made by an individual outside the department. Verification of payroll data should also be made outside the department. Proper segregation of duties is critical in the prevention of payroll fraud.

Fact Pattern: An organization has grown rapidly and has just automated its human resource system. The organization has developed a large database that tracks employees, employee benefits, payroll deductions, job classifications, ethnic code, age, insurance, medical protection, and other similar information. Management has asked the internal audit activity to review the new system. An employee in the payroll department is contemplating a fraud involving the addition of a fictitious employee and the entry of fictitious hours worked. The paycheck would then be sent to the payroll employee's home address. The most effective control procedure to prevent this type of fraud is to require that A The payroll department physically delivers paychecks to employees rather than mailing them. B All changes to employee records be approved by supervisors outside of both human resources and payroll. C All new employees and their hours worked be entered by the human resources department. D A report of all new employees added be approved by someone outside of the payroll department. Also, a report showing all employees and hours worked should be sent to the supervisor's department for review.

D Require a supervisor in the department, who does not have the ability to change the table of pay rates, to compare the changes with a signed management authorization. To maintain a proper segregation of duties, changes in pay rates should be authorized by someone outside the human resources department. Furthermore, authorization should be independently verified by an individual who does not have a recording function.

Fact Pattern: An organization has grown rapidly and has just automated its human resource system. The organization has developed a large database that tracks employees, employee benefits, payroll deductions, job classifications, ethnic code, age, insurance, medical protection, and other similar information. Management has asked the internal audit activity to review the new system. The automated system contains a table of pay rates matched with the employee job classifications. The best control to ensure that the table is updated correctly for only valid pay changes is to A Ensure that adequate edit and reasonableness checks are built into the automated system. B Require that all pay changes be signed by the employee to verify that the change goes to a bona fide employee. C Limit access to the data table to management and line supervisors who have the authority to determine pay rates. D Require a supervisor in the department, who does not have the ability to change the table of pay rates, to compare the changes with a signed management authorization.

A Submitting gasoline and repair bills that are higher than company average. Submitting gasoline and repair bills that are higher than average is not correlated with making fraudulent loans. These factors are not controllable by the loan officer, so they cannot be indicators of unusual activity by him or her.

Fact Pattern: Bank management suspects that a bank loan officer frequently made loans to fictitious entities, disbursed loan proceeds to personally established accounts, and then let the loans go into default. Some pertinent facts about the loan officer include -A high standard of living, explained as the result of sound investments and not taking vacations; -An expensive personal car obtained through business contacts; -Gasoline and repair bills submitted for a car assigned by the bank that are higher than the organization's average (mileage logs were submitted on a quarterly basis); and -Marked annoyance with questions from internal auditors. In this situation, typical indicators of the suspected fraud include all of the following except A Submitting gasoline and repair bills that are higher than company average. B Not taking an annual vacation. C Explaining a high standard of living as the result of investments. D Becoming easily annoyed with auditor inquiries about questionable loans.

D Loan default rates by loan officer. Trend analysis should detect an unexplained increase in the default rate caused by bogus loans.

Fact Pattern: Bank management suspects that a bank loan officer frequently made loans to fictitious entities, disbursed loan proceeds to personally established accounts, and then let the loans go into default. Some pertinent facts about the loan officer include -A high standard of living, explained as the result of sound investments and not taking vacations; -An expensive personal car obtained through business contacts; -Gasoline and repair bills submitted for a car assigned by the bank that are higher than the organization's average (mileage logs were submitted on a quarterly basis); and -Marked annoyance with questions from internal auditors. The most appropriate trend analysis to indicate this potential fraud is A Total monetary volume of loans by loan officer. B Accumulation of unpaid vacation days. C Automobile operating expenses by loan officer. D Loan default rates by loan officer.

D Analytical procedures revealed an extraordinary increase in account balances. Analytical procedures are commonly performed by internal auditors to assess information collected in an engagement. The assessment results from comparing information with expectations identified or developed by the internal auditor. Thus, an extraordinary increase in an account balance should be detected and investigated as the result of applying analytical methods.

Fact Pattern: When an internal auditor followed up on a significant increase in maintenance supplies during the past year, a purchasing agent explained to the internal auditor that the primary reason for the increase was painting services and supplies. The internal auditor found a blanket purchase order without the normal bid or quote documentation. The blanket purchase order had been signed by the general manager and named the general manager's father as the sole contractor for painting services on the organization's projects. The auditor also found a number of large invoices, authorized for payment by the general manager, that showed the general manager's father as the person who signed for the receipt of the material at the supplier. What is the common indicator of fraud recognized by the internal auditor in this scenario? A Paint and supplies are being purchased for a contractor. B Invoices are being authorized for payment by the general manager. C The purchasing agent is selecting the contractor on the basis of a blanket purchase order. D Analytical procedures revealed an extraordinary increase in account balances.

B 1, 3, and 4. Under these facts, an effective control assists in preventing or detecting payments to fictitious recipients. Requiring a social worker supervisor to investigate and approve all additions to the recipient file assists in preventing a social worker from adding fictitious recipients. Incorporating a code into the computer system to search for duplicate names and addresses and developing an exception report for the section supervisor assist in detecting fictitious recipients. Rotating social workers among recipients assists in preventing and detecting fictitious recipients. Self-checking digits, however, are online input controls used to detect incorrect identification numbers, not prevent or detect duplicate account numbers. Consequently, this control would be ineffective in preventing or detecting fictitious recipients.

Fact Pattern: While performing analytical procedures related to an engagement involving a social services agency of a government entity, the internal auditor noted an unusually large increase in payments to individual recipients who are under the direction of a particular social worker in the agency. The internal auditor is considering making a recommendation about appropriate controls to address a potential problem of fictitious recipients. The internal auditor has identified the following control procedures as potential items to include in the recommendation. Require that all additions to the recipient file be independently investigated and approved by a supervisor of the social workers. Require the use of self-checking digits on the account numbers of all recipients so that any duplicates will be immediately noted by the system. Incorporate a code into the computer program to search for duplicate names and addresses. Develop an exception report that will go to the section supervisor whenever duplicates are noted. Require that social workers be rotated among recipients. Which of the following control combinations would effectively address the internal auditor's concerns and improve control over valid recipients? A 1, 2, 3, and 4. B 1, 3, and 4. C 1 and 4. D 1, 2, and 3.

A Notify the parent's auditors of the situation and request that they either provide the working papers or authorize you to do so. Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the external auditors, including access to the external auditors' programs and working papers. Internal auditors are responsible for respecting the confidentiality of those programs and working papers.

Fact Pattern: You are the chief audit executive of a parent organization that has foreign subsidiaries. Independent external audits performed for the parent are not conducted by the same firm that conducts the foreign subsidiary audits. Because the internal audit activity occasionally provides direct assistance to both external firms, you have copies of audit programs and selected working papers produced by each firm. The foreign subsidiary's auditors would like to rely on some of the work performed by the parent organization's audit firm, but they need to review the working papers first. They have asked you for copies of the working papers of the parent organization's audit firm. What is the most appropriate response to the foreign subsidiary's auditors? A Notify the parent's auditors of the situation and request that they either provide the working papers or authorize you to do so. B Provide copies of the working papers and notify the parent's audit firm that you have done so. C Provide copies of the working papers without notifying the parent's audit firm. D Refuse to provide the working papers under any circumstances.

C Cashier department. The responsibility for unclaimed paychecks should be given to a department that has no opportunity to authorize or write those checks. Because the treasury function serves only an asset custody function and thus has had no input into the paycheck process, it is the logical repository of unclaimed checks.

If employee paychecks are distributed by hand to employees, which one of the following departments should be responsible for the safekeeping of unclaimed paychecks? A Timekeeping department. B Production department in which the employee works or worked. C Cashier department. D Payroll department.

B Recording of cash receipts and preparation of bank reconciliations. Recording of cash establishes accountability for assets. The bank reconciliation compares that recorded accountability with actual assets. The recording of cash receipts and preparation of bank reconciliations should therefore be performed by different individuals because the preparer of a reconciliation could conceal a cash shortage. For example, if a cashier both prepares the bank deposit and performs the reconciliation, (s)he could embezzle cash and conceal the theft by falsifying the reconciliation.

If internal control is well designed, two tasks that should be performed by different persons are A Distribution of payroll checks and approval of sales returns for credit. B Recording of cash receipts and preparation of bank reconciliations. C Approval of bad debt write-offs, and reconciliation of the accounts payable subsidiary ledger and controlling account. D Posting of amounts from both the cash receipts journal and cash payments journal to the general ledger.

C Size of the internal audit activity. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, all internal audit activities are not required to have a detailed policies and procedures manual.

In most cases, an internal audit activity should document policies and procedures to ensure the consistency and quality of its work. The exception to this principle is directly related to A Departmentation. B Division of labor. C Size of the internal audit activity. D Authority.

C Recordability.

In regard to The IIA's Electronic Systems Assurance and Control study, which of the following is not a business assurance objective? A Protectability. B Functionality. C Recordability. D Capability.

C Preferences of the independent auditor. Ultimately, the role of internal auditing in the risk management process is determined by senior management and the board. Their view on internal auditing's role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs.

In the risk management process, management's view of the internal audit activity's role is likely to be determined by all of the following factors except A Ability of the internal audit staff. B Local conditions and customs of the country. C Preferences of the independent auditor. D Organizational culture.

D A former purchasing assistant performs a review of internal controls over purchasing 4 months after being transferred to the internal auditing department. Persons transferred to or temporarily engaged by the internal audit activity should not be assigned to audit those activities they previously performed until at least 1 year has elapsed. Such assignments are presumed to impair objectivity.

In which of the following situations does an internal auditor potentially lack objectivity? A A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors. B An internal auditor reviews the procedures for a new electronic data interchange (EDI) connection to a major customer before it is implemented. C An internal auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits. D A former purchasing assistant performs a review of internal controls over purchasing 4 months after being transferred to the internal auditing department.

A former purchasing assistant performs a review of internal controls over purchasing 4 months after being transferred to the internal auditing department. Persons transferred to or temporarily engaged by the internal audit activity should not be assigned to audit those activities they previously performed until at least 1 year has elapsed. Such assignments are presumed to impair objectivity.

In which of the following situations does an internal auditor potentially lack objectivity? A former purchasing assistant performs a review of internal controls over purchasing 4 months after being transferred to the internal auditing department. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors. An internal auditor reviews the procedures for a new electronic data interchange (EDI) connection to a major customer before it is implemented. An internal auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits.

A 1, 2, and 3. "Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board" (Impl. Std. 2210.A3).

Internal auditors need to determine the extent to which management has established adequate control criteria. For this purpose, which of the following actions may be appropriate? 1. Determining whether objectives have been accomplished 2. Using management's adequate control criteria in their evaluation 3. Working with management to develop appropriate control evaluation criteria A 1, 2, and 3. B 1 only. C 1 and 2 only. D 2 only.

B Gain the understanding necessary to test the effectiveness of the system. Flowcharting is a pictorial method of analyzing and understanding the processes and procedures involved in operations, whether manual or computerized. Flowcharting is therefore useful in the preliminary survey and in obtaining an understanding of internal control. It is also helpful in systems development.

Internal auditors often flowchart a control system and reference the flowchart to narrative descriptions of certain activities. This is an appropriate procedure to A Determine whether the system meets established management objectives. B Gain the understanding necessary to test the effectiveness of the system. C Determine whether the system can be relied upon to produce accurate information. D Document that the system meets international auditing requirements.

Management takes action to enhance the likelihood that established goals and objectives will be achieved. A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved (The IIA Glossary

Internal auditors regularly evaluate controls. Which of the following best describes the concept of control as recognized by internal auditors? Control procedures should be designed from the "bottom up" to ensure attention to detail. Control represents specific procedures that accountants and internal auditors design to ensure the correctness of processing. Management regularly discharges personnel who do not perform up to expectations. Management takes action to enhance the likelihood that established goals and objectives will be achieved.

D Accepting compensation from professional organizations for consulting work. Professional organizations are unlikely to be employees, clients, customers, suppliers, or business associates of the organization. Thus, the consulting fees are not likely to impair or be presumed to impair the internal auditors' professional judgment (Rule of Conduct 2.2). Moreover, relationships with professional organizations are not likely to create a conflict of interest or impair or be presumed to impair internal auditors' unbiased judgment (Rule of Conduct 2.1). Also, the consulting engagement should not result in the improper use of information (Rule of Conduct 3.2).

Internal auditors should be prudent in their relationships with persons and organizations external to their employers. Which of the following activities will most likely not adversely affect internal auditors' ethical behavior? A Discussing engagement plans or results with external parties. B Serving as consultants to competitor organizations. C Serving as consultants to suppliers. D Accepting compensation from professional organizations for consulting work.

B Exposure to the elements The internal audit activity must evaluate risk exposures relating to governance, operations, and information systems regarding the safeguarding of assets (Impl. Std. 2120.A1). For example, internal auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the elements.

Internal auditors should review the means of physically safeguarding assets from losses arising from A Underusage of physical facilities. B Exposure to the elements. C Procedures that are not cost justified. D Misapplication of accounting principles

D The cost of internal control should not exceed its benefits. A limiting factor is that the cost of internal control should not exceed its expected benefits. Thus, the potential loss associated with any exposure or risk is weighed against the cost to control it. Although the cost-benefit relationship is a primary criterion that should be considered in designing and implementing internal control, the precise measurement of costs and benefits usually is not possible.

Internal control can provide only reasonable assurance that the organization's objectives will be met efficiently and effectively. One factor limiting the likelihood of achieving those objectives is that A The board is active and independent. B Management monitors performance. C The internal auditor's primary responsibility is the detection of fraud. D The cost of internal control should not exceed its benefits.

C The chief financial officer has the authority to sign checks but gives the signature block to the assistant chief financial officer to run the check-signing machine The chief financial officer's department should have custody of assets but should not authorize or record transactions. Because the assistant chief financial officer reports to the chief financial officer, the chief financial officer is merely delegating an assigned duty related to asset custody.

Internal control should follow certain basic principles to achieve its objectives. One of these principles is the segregation of functions. Which one of the following examples does not violate the principle of segregation of functions? A The department time clerk is given the undistributed payroll checks to mail to absent employees. B The sales manager has the responsibility to approve credit and the authority to write off accounts. C The chief financial officer has the authority to sign checks but gives the signature block to the assistant chief financial officer to run the check-signing machine. D The warehouse clerk, who has the custodial responsibility over inventory in the warehouse, may authorize disposal of damaged goods.

All of the answers are correct. The limitations of ERM are the same as those for control in general. They arise from the possibility of (1) faulty human judgment, (2) cost-benefit co

Limitations of enterprise risk management (ERM) may arise from Cost-benefit considerations. Faulty human judgment. Collusion. All of the answers are correct.

A Monitoring performance. Monitoring is a component of the internal control. It is a process that assesses the quality of the system's performance over time. It consists of ongoing activities built into normal operations to ensure that they continue to be performed effectively. Supervision and other ordinary management functions, consideration of communications with external parties, and the actions of internal and external auditors are examples.

Management has a role in the maintenance of control. In fact, management sometimes is a control. Which of the following most likely involves managerial functions as a control? A Monitoring performance. B Board approval of the charter of the internal audit activity. C Establishment of an internal audit activity. D Maintenance of a quality assurance program.

D. Avoiding Risk responses may include avoidance, acceptance, sharing, and reduction. By eliminating checks, the organization avoids all risk associated with them.

Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks. Regarding the risks associated with issuing checks, which of the following risk management techniques does this represent? A Accepting. B Transferring. C Controlling. D Avoiding.

A Situational pressure. Financial difficulties create situational pressures or temptations that may contribute to fraud. These situational pressures result from high personal indebtedness, extravagant lifestyles, gambling problems, etc.

Number 3, "Difficulties with personal financial problems," is an example of a(n) A Situational pressure. B Behavioral symptom. C Opportunity to commit. D Rationalization.

Avoidance of conflict of interest. Commitment to independence from conflicts of economic or professional interest is an aspect of objectivity.

Objectivity is an ethical requirement for all persons engaged in the professional practice of internal auditing. One aspect of objectivity requires Refraining from using confidential information for unethical or illegal advantage. Avoidance of conflict of interest. Performance of professional duties in accordance with relevant laws. Maintenance of an appropriate level of professional expertise.

B Operating controls. Operating controls are those used in the management processes of directing and controlling and are based on comparison of results with standards. As an activity becomes less mechanical, however, standards become more difficult to determine. Control standards for security, for example, are less easily developed than for the output per hour of a machine because the degree of security achieved is not readily measurable.

Of the following, the controls that are often difficult for internal auditors to evaluate because of the lack of criteria or standards are A Financial controls. B Operating controls. C Corrective controls. D Preventive controls.

C Timekeeping and preparation of payroll journal entries. Combining the timekeeping function and the preparation of the payroll journal entries would not be improper because the employee has no access to assets or to employee records in the human resources department. Only through collusion could an embezzlement be perpetrated. Accordingly, the functions of authorization, recordkeeping, and custodianship remain separate.

One characteristic of an effective internal control structure is the proper segregation of duties. The combination of responsibilities that would not be considered a violation of segregation of functional responsibilities is A Signing of paychecks and custody of blank payroll checks. B Approval of time cards and preparation of paychecks. C Timekeeping and preparation of payroll journal entries. D Preparation of paychecks and check distribution.

Written policies requiring review of major funding or repayment proposals by the board. The control objective of authorization relates to the proper execution of transactions in accordance with management's wishes. One means of achieving this control objective is the establishment of policies as guides to action. When a decision affects the capitalization of the entity, a policy should be in force requiring review at the highest level.

One control objective of the financing or treasury cycle is the proper authorization of transactions involving debt and equity instruments. Which of the following controls would best meet this objective? Segregation of responsibility for custody of funds from recording of the transaction. Requiring two signatures on all checks of a material amount. Written policies requiring review of major funding or repayment proposals by the board. Use of an underwriter in all cases of new issue of debt or equity instruments.

B Intentional deception. Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force."

One factor that distinguishes fraud from other employee crimes is that fraud involves A Malicious motives. B Intentional deception. C Personal gain for the perpetrator. D Collusion with a party outside the organization.

C Using predetermined totals to control posting routines. A control total (total amount of sales invoices) should be generated for the transactions to be posted. It should then be compared with the total of items posted to the individual accounts (total of amounts posted to the general ledger and the accounts receivable subsidiary ledger).

One of two office clerks in a small organization prepares a sales invoice; however, the invoice is incorrectly entered by the bookkeeper in the general ledger and the accounts receivable subsidiary ledger for a smaller amount resulting from a transposition of digits. The customer subsequently remits the amount on the monthly statement. Assuming only three employees are in the department, the most effective control to prevent this type of error is A Requiring that monthly statements be prepared by the bookkeeper and verified by one of the other office clerks prior to mailing. B Assigning the second office clerk to make an independent check of prices, discounts, extensions, footings, and invoice serial numbers. C Using predetermined totals to control posting routines. D Requiring the bookkeeper to perform periodic reconciliations of the accounts receivable subsidiary ledger and the general ledger.

D The chief audit executive. The CAE establishes a structure for reporting results of internal assessments that maintains appropriate credibility and objectivity. Generally, those assigned responsibility for conducting ongoing and periodic internal assessments report to the CAE.

Ordinarily, those conducting internal quality program assessments report to A The board. B Senior management. C The internal audit staff. D The chief audit executive.

true

Organizational change is conducted through change agents, who may include managers, employees, and consultants hired. True False

A Align the organization's and the employees' goals. The objectives of OD are to (1) deepen the sense of organizational purpose and align individuals with it; (2) promote interpersonal trust, communication, cooperation, and support; (3) encourage a problem-solving approach; (4) develop a satisfying work experience; (5) supplement formal authority with authority based on expertise; (6) increase personal responsibility; and (7) encourage willingness to change.

Organizational development (OD) is one of the major approaches to proactive management of change in organizations. One of the major objectives of OD is to A Align the organization's and the employees' goals. B Attract better employees to the organization. C Increase the power of leaders. D Provide the organization and its managers with ways to increase efficiency.

A All internal audit activities must have a detailed policies and procedures manual. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, all internal audit activities are not required to have a detailed policies and procedures manual.

Policies and procedures must be established to guide the internal audit activity. Which of the following statements is false with respect to this requirement? A All internal audit activities must have a detailed policies and procedures manual. B A small internal audit activity may be managed informally through close supervision and memoranda. C The form and content of written policies and procedures depend on the size of the internal audit activity. D Formal administrative and technical manuals may not be needed by all internal audit activities.

C Management has delegated the authority to make purchases under a certain value to subordinates. Delegating the authority to make purchases under a certain value to subordinates is an acceptable and common practice intended to limit risk while promoting efficiency. It is not, by itself, considered a red flag.

Red flags are conditions that indicate a higher likelihood of fraud. Which of the following is not considered a red flag? A The assignment of responsibility and accountability in the accounts receivable department is not clear. B An individual has held the same cash-handling job for an extended period without any rotation of duties. C Management has delegated the authority to make purchases under a certain value to subordinates. D An individual handling marketable securities is responsible for making the purchases, recording the purchases, and reporting any discrepancies and gains/losses to senior management.

Management and the board. The support of management and the board is crucial when inevitable conflicts arise between the internal audit activity and the department or function under review.

Support from which persons or combination of persons listed below is most important to the success of the internal audit activity? The chief executive officer and chief financial officer. The audit committee. The chief executive officer. Management and the board.

A Maintain individual objectivity. The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.

The CAE bears the responsibility to do which of the following? A Maintain individual objectivity. B Encourage the objectivity of the CEO. C Foster an attitude of professional skepticism among members of the board. D Encourage the objectivity of the board.

Describe behavior norms expected of internal auditors. he IIA's Code of Ethics extends beyond the definition of internal auditing to include two essential components: (1) Principles that are relevant to the profession and practice of internal auditing and (2) Rules of Conduct that describe behavior norms expected of internal auditors (Introduction).

The IIA Rules of Conduct set forth in The IIA's Code of Ethics Apply only to particular conduct specifically mentioned. Are interpreted by the Principles. Are guidelines to assist internal auditors in dealing with engagement clients. Describe behavior norms expected of internal auditors.

Attribute Standards. Attribute Standards describe the characteristics of organizations and parties providing internal auditing services.

The Standards consist of three types of Standards. Which Standards apply to the characteristics of providers of internal auditing services? Performance Standards. Attribute Standards. Independence Standards. Implementation Standards.

B Select key procedures from the manual and use informal supervisory direction for other engagement management issues. Orientation to acquaint the acquired organization's staff with the established environment should be through exposure to selected key procedures from the formal manual. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, a small internal audit activity may be managed informally, for example, through daily close supervision and written memoranda.

The chief audit executive for a large decentralized organization has developed a manual containing comprehensive detailed written procedures as a guide for the decentralized engagement work groups, each of which has 20 to 30 internal auditors. The organization recently acquired a small organization that has an internal audit activity consisting of a supervisor and two staff personnel. Which of the following actions is the most practical in providing administrative guidance for this new internal audit activity? A Use informal supervisory direction for engagement management issues. B Select key procedures from the manual and use informal supervisory direction for other engagement management issues. C Adopt the administrative procedures being followed by the internal auditors of the acquired organization. D Use the already developed manual

B Access to records relevant to performance of engagements should be specified in the internal audit activity's charter. Specific guidelines are written in the internal audit activity's charter authorizing access to records, personnel, and physical properties relevant to the performance of engagements (Inter. Std. 1000). Such provisions reduce the likelihood of scope limitations.

The chief audit executive has assigned an internal auditor to perform a year-end engagement to evaluate payroll records. The internal auditor has contacted the director of compensation and has been refused access to necessary documents. To avoid this problem, A By following the long-range planning process, access to all relevant records should be guaranteed. B Access to records relevant to performance of engagements should be specified in the internal audit activity's charter. C Internal auditing should be required to report to the CEO of the organization. D Board approval should be required for all scope limitations

B Broad standards of conduct for the members of the organization. An organization's code of ethical conduct is the established general value system the organization wishes to apply to its members' activities by communicating organizational purposes and beliefs and establishing uniform ethical guidelines for members, which include guidance on behavior for members in making decisions. A code establishes high standards against which individuals can measure their own performance and communicates to those outside the organization the value system from which the organization's members must not be asked to deviate.

The code of ethics of a professional organization sets forth A The organizational details of the profession's governing body. B Broad standards of conduct for the members of the organization. C A basis for the measurement of internal audit performance. D A list of illegal activities that are proscribed to the members of the profession.

Broad standards of conduct for the members of the organization. An organization's code of ethical conduct is the established general value system the organization wishes to apply to its members' activities by communicating organizational purposes and beliefs and establishing uniform ethical guidelines for members, which include guidance on behavior for members in making decisions. A code establishes high standards against which individuals can measure their own performance and communicates to those outside the organization the value system from which the organization's members must not be asked to deviate.

The code of ethics of a professional organization sets forth Broad standards of conduct for the members of the organization. A basis for the measurement of internal audit performance. The organizational details of the profession's governing body. A list of illegal activities that are proscribed to the members of the profession.

C The use of the International Professional Practices Framework. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities (Attr. Std. 1210). The emphasis of internal auditors' expertise is on (1) the IPPF; (2) governance, risk, and control; and (3) business acumen. For example, the internal audit staff and managers should demonstrate the appropriate use and interpretation of the IPPF (Competency Framework).

The internal audit activity collectively must possess or obtain certain competencies. Internal audit staff should be competent in A Marketing. B Finance. C The use of the International Professional Practices Framework. D General management principles.

D 1, 2, 3, and 4. The internal audit activity must assess and make appropriate recommendations to improve the organization's governance processes for: -Making strategic and operational decisions -Overseeing risk management and control -Promoting appropriate ethics and values within the organization -Ensuring effective organizational performance management and accountability -Communicating risk and control information to appropriate areas of the organization -Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management (Perf. Std. 2110)

The internal audit activity must assess and make appropriate recommendations to improve the organization's governance processes for: 1. Ethics and values are promoted. 2. Effective organizational performance management and accountability are ensured. 3. Risk and control information is communicated. 4. Activities of the external and internal auditors and management are coordinated. A 4 only. B 2 and 3 only. C 1 only. D 1, 2, 3, and 4.

Feedforward control A feedforward control provides information on potential problems so that corrective action can be taken in anticipation, rather than as a result, of a problem.

The internal audit activity of an organization is an integral part of the organization's risk management, control, and governance processes because it evaluates and contributes to the improvement of those processes. Select the type of control provided when the internal audit activity conducts a systems development analysis. Feedforward control. Feedback control. Policies and procedures. Strategic plans.

True

The internal audit activity reports to senior management and the board on the effectiveness of corporate risk management processes, internal control, and risk management frameworks. True False

Board and senior management. Impairments of the internal audit activity's independence and objectivity should be communicated to the board and senior management.

The internal audit activity should be free to audit and report on any activity that also reports to its administrative head if it considers such coverage to be appropriate for its audit plan. Any limitation in scope or reporting of results of these activities should be brought to the attention of the External auditor. Board and senior management. Chief financial officer. Chief executive officer.

C A security guard allows one of the warehouse employees to remove assets from the premises without authorization. Inherent limitations in internal control arise from mistakes in judgment, misunderstandings of instructions, personnel carelessness, distraction, fatigue, collusion, perpetrations by management, changing conditions, and deterioration of degrees of compliance. Thus, a control (use of security guards) based on segregation of functions may be overcome by collusion among two or more employees.

The internal auditor recognizes that certain limitations are inherent in any system of internal controls. Which one of the following scenarios is the result of an inherent limitation of internal control? A The comptroller both makes and records cash deposits. B The organization sells to customers on account, without credit approval. C A security guard allows one of the warehouse employees to remove assets from the premises without authorization. D An employee who is unable to read is assigned custody of the organization's computer tape library and run manuals that are used during the third shift.

A Harm to reputation. An impact factor is a potential result of an event. These events are usually identified through the risk assessment process. For example, the consequences of fraud may include direct financial loss and harm to its reputation, which in turn may lead to inability to attract skilled employees or customers.

The internal auditors are assessing the risk of fraud involving senior management. An impact factor is A Harm to reputation. B Potential override of internal controls. C Unusual transactions. D Inadequacy of internal controls.

B Ensuring that fraud will not occur. Control is the principal means of preventing fraud, and management is responsible for establishing and maintaining internal control. Thus, internal auditors cannot give absolute assurance that noncompliance or fraud does not exist.

The internal auditors' responsibility regarding fraud includes all of the following except A Being aware of activities in which fraud is likely to occur. B Ensuring that fraud will not occur. C Evaluating the effectiveness of control activities. D Determining whether the control environment sets the appropriate tone at top.

A External assessments can provide senior management and the board with independent assurance about the quality of the internal audit activity. External assessments provide an independent and objective evaluation of the internal audit activity's compliance with the Standards and Code of Ethics.

The interpretation related to quality assurance given by the Standards is that A External assessments can provide senior management and the board with independent assurance about the quality of the internal audit activity. B Supervision is limited to the planning, examination, evaluation, communication, and follow-up process. C The internal audit activity is primarily measured against The IIA's Code of Ethics. D Appropriate follow-up to an external assessment is the responsibility of the chief audit executive's immediate supervisor.

Help assure that systems have adequate control procedures. The internal audit activity evaluates and improves risk management, control, and governance processes. The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. The auditor's objectivity is considered to be impaired if the auditor designs, installs, drafts procedures for, or operates such systems. Such services may create a conflict of interest, a situation in which internal auditors have a competing professional or personal interest. This may create an appearance of impropriety that undermines confidence in the internal audit activity (Inter. Attr. Std. 1120).

The major reason for the internal auditor's involvement in information systems development is for the internal auditor to Gain familiarity with systems for use in subsequent reviews. Help minimize the cost and development time for new systems. Propose enhancements for subsequent development and implementation. Help assure that systems have adequate control procedures.

audit committee

The most important function of the ______ is to promote the independence of the internal and external auditors by protecting them from management's influence.

B Must be sufficient to permit the accomplishment of the activity's responsibilities. The CAE must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities (Attr. Std. 1110).

The organizational level to which the internal audit activity reports A Requires only the board's annual approval of the engagement work schedule, staffing plan, and financial budget. B Must be sufficient to permit the accomplishment of the activity's responsibilities. C Is guaranteed when the charter specifically defines the activity's independence. D Is best when reporting is only made to the board of directors.

Must be sufficient to permit the accomplishment of the activity's responsibilities. The CAE must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities (Attr. Std. 1110).

The organizational level to which the internal audit activity reports Is best when reporting is only made to the board of directors. Is guaranteed when the charter specifically defines the activity's independence. Requires only the board's annual approval of the engagement work schedule, staffing plan, and financial budget. Must be sufficient to permit the accomplishment of the activity's responsibilities.

Better manage perceived high risks. Risk management is a process that identifies, assesses, manages, and controls potential risks and potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives (The IIA Glossary). Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical to warrant continuous oversight and monitoring.

The primary reason that a bank would maintain a separate compliance function is to Better manage perceived high risks. Ensure the independence of line and senior management. Better respond to shareholder expectations. Strengthen controls over the bank's investments.

Serve as an independent, objective assurance and consulting activity that adds value to operations. The Definition of Internal Auditing states, in part, "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations."

The proper organizational role of internal auditing is to Perform studies to assist in the attainment of more efficient operations. Serve as an independent, objective assurance and consulting activity that adds value to operations. Serve as the investigative arm of the board. Assist the external auditor to reduce external audit fees.

C Feedback controls. A feedback control operates to provide information about processes that have already occurred.

The use of financial statement analysis, quality control procedures, and employee performance evaluations are all examples of A Feedforward controls. B Preliminary controls. C Feedback controls. D Concurrent controls.

False the CAE must have direct and unrestricted access

To attain the internal audit activity's necessary degree of independence, each auditor must have direct and unrestricted access to senior management and the board. True False

C Coordinated with internal auditing work. Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. Coordination of internal and external audit work is the responsibility of the CAE (Perf. Std. 2050).

To improve their efficiency, internal auditors may rely upon the work of external auditors if it is A Primarily concerned with operational objectives and activities. B Conducted in accordance with the Code of Ethics. C Coordinated with internal auditing work. D Performed after the internal auditing work

D Comply with the International Standards for the Professional Practice of Internal Auditing. The IIA's Code of Ethics applies not only to individuals but also to entities that provide internal auditing services. Rule of Conduct 4.2 under the competency principle states, "Internal auditors shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.

Under The IIA's Code of Ethics, an entity that provides internal auditing services is specifically required to A Maintain certain predetermined staffing requirements for engagements. B Comply with organizational policy. C Participate in a formal continuing education program. D Comply with the International Standards for the Professional Practice of Internal Auditing.

B In practice, management has primary responsibility. he board has overall responsibility. However, in practice, the board delegates responsibility for ERM to senior management, which should ensure that sound processes are in place and functioning.

Under the COSO's ERM framework, which of the following most accurately describes risk management responsibilities? A The chief audit executive should serve as chief risk officer. B In practice, management has primary responsibility. C The board provides assurance about the effectiveness of ERM. D The internal audit activity has an oversight role.

D. All of the answers are correct If the internal auditors lack the necessary expertise, external service providers should be employed who can provide the requisite knowledge, skills, and other competencies. Thus, external service providers may provide assistance in (1) estimating the liability for postretirement benefits, (2) developing a comparative analysis of healthcare costs, and (3) training the staff to audit healthcare costs.

Use of external service providers with expertise in healthcare benefits is appropriate when the internal audit activity is A Comparing the cost of the organization's healthcare program with other programs offered in the industry. B Evaluating the organization's estimate of its liability for postretirement benefits, which include healthcare benefits. C Training its staff to conduct an audit of healthcare costs in a major division of the organization. D All of the answers are correct.

A Provide staff with sufficient training to enhance communication skills. Internal auditors must be able to organize and express ideas clearly and with confidence to influence others. They also should be able to (1) extract key information from many sources to support communication, (2) select appropriate communication forms and methods, and (3) use the technical conventions of language (grammar, punctuation, etc.) (Competency Framework).

What is the most appropriate preventive measure for staff communication problems with engagement clients? A Provide staff with sufficient training to enhance communication skills. B Avoid unnecessary communication with engagement clients. C Discuss communication problems with staff auditors. D Meet with engagement clients to resolve communication problems.

C Active, detective control. When shipping documents are not received in the shipping department (such as copies of the sales invoice, customer order form, and bill of lading), the clerk should attempt to obtain the proper documentation from the originating organization. This type of control is detective because it detects and attempts to correct an undesirable event that has occurred. It is also active because it takes a conscious intervention by the clerk to ensure the documentation is received.

When a copy of the sale invoice is not received by an organization's shipping department, an employee requests the document from the proper authority. This process is a(n) A Passive, mitigating control. B Directive, detective control. C Active, detective control. D Detective, preventive control.

A Recommend an investigation. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

When an internal auditor identifies multiple factors that have been linked with possible fraudulent conditions and suspects that fraud has taken place, the auditor should A Recommend an investigation. B Immediately report to senior management and the board. C Immediately report to the board. D Extend tests to determine the extent of the fraud.

B Be living beyond their obvious means of support. Living beyond one's means has been linked to employee fraud (embezzlement), not to financial statement fraud. Fraud perpetrated for the benefit of the organization ordinarily benefits the wrongdoer indirectly, whereas fraud that is detrimental to the organization provides immediate, direct benefits to the employee.

When comparing perpetrators who have embezzled an organization's funds with perpetrators of financial statement fraud (falsified financial statements), those who have falsified financial statements are less likely to A Have experienced an autocratic management style. B Be living beyond their obvious means of support. C Use organizational expectations as justification for the act. D Rationalize the fraudulent behavior.

C After an external review completed within the past 5 years. The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement (Attr. Std. 1321). The internal audit activity conforms with mandatory guidance when it achieves the outcomes described in the Code of Ethics and the Standards. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least 5 years will also have the results of external assessments (Inter. Std. 1321; Attr. Std. 1312). Thus, to use the phrase, the chief audit executive of an internal audit activity in existence for at least 5 years must have the results of an external assessment within that period.

When is initial use of the conformance phrase by internal auditors appropriate? A After an internal review completed within the past 10 years. B After an external review completed within the past 10 years. C After an external review completed within the past 5 years. D After an internal review completed within the past 5 years.

D Yes. The actuary has skills not usually found among internal auditors to identify and quantify self-insurance risks. The internal audit activity may use external service providers or internal sources that are qualified in disciplines such as accounting, auditing, economics, finance, statistics, information technology, engineering, taxation, law, environmental affairs, and other areas as needed to meet the internal audit activity's responsibilities. Thus, unless the internal audit activity has an employee with actuarial skills, an actuarial consultant should be hired to assess self-insurance risks.

When the engagement was assigned, management asked the internal auditor to evaluate the appropriateness of using self-insurance to minimize risk to the organization. Given the scope of the engagement requested by management, should the internal auditor engage an actuarial consultant to assist in the engagement if these skills do not exist on staff? A Yes. An actuary is essential to determine whether the healthcare costs are reasonable. B No. The internal audit activity is skilled in assessing controls, and the insurance control concepts are not distinctly different from other control concepts. C No. It is a normal internal auditor function to assess risk; this engagement is therefore not unique. D Yes. The actuary has skills not usually found among internal auditors to identify and quantify self-insurance risks.

D Acceptance of airline tickets from an engagement client. Rule of Conduct 2.2 under the objectivity principle states, "Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment."

Which of the following actions by an internal auditor would violate The IIA's Code of Ethics? A Disposal of a small ownership interest in the organization prior to learning of a business downturn. B Attendance at an educational program offered by an engagement client to all employees. C Disclosure, in an engagement communication, of all material facts relevant to the area reviewed. D Acceptance of airline tickets from an engagement client.

C Increased adoption of audit committees composed of outside directors. The audit committee consists of outside directors who are independent of management. Its purpose is to help keep external and internal auditors independent of management and to assure that the directors are exercising due care. This committee (1) selects the external auditors; (2) reviews their overall audit plan; (3) examines the results of external and internal auditing engagements; (4) meets regularly with the CAE; and (5) reviews the internal audit activity's engagement work schedule, staffing plan, and financial budget. These functions should increase public confidence that financial statements are fairly presented.

Which of the following actions is an appropriate response by organizations wishing to improve the public's perception of their financial reporting? A Viewing internal auditing as a transient profession—a stepping stone to managerial positions. B Requiring internal auditors to report all significant observations of illegal activity to the chief executive officer. C Increased adoption of audit committees composed of outside directors. D Keeping external and internal auditing work separated to maintain independence.

C Safeguarding of assets. Safeguarding assets is an operational activity and is therefore beyond the scope of the internal audit activity. However, the internal audit activity's assurance function evaluates the adequacy and effectiveness of controls related to the organization's governance, operations, and information systems regarding safeguarding of assets (Perf. Std. 2130).

Which of the following activities is outside the scope of internal auditing? A Evaluating risk exposures regarding compliance with policies, procedures, and contracts. B Ascertaining the extent to which management has established criteria to determine whether objectives have been accomplished. C Safeguarding of assets. D Evaluating risk exposures regarding compliance with laws and regulations.

B Safeguarding of assets. Safeguarding assets is an operational activity and is therefore beyond the scope of the internal audit activity. However, the internal audit activity's assurance function evaluates the adequacy and effectiveness of controls related to the organization's governance, operations, and information systems regarding safeguarding of assets (Perf. Std. 2130).

Which of the following activities is outside the scope of internal auditing? A Evaluating risk exposures regarding compliance with policies, procedures, and contracts. B Safeguarding of assets. C Ascertaining the extent to which management has established criteria to determine whether objectives have been accomplished. D Evaluating risk exposures regarding compliance with laws and regulations.

C Authorization of additions and deletions from the payroll. The payroll department is responsible for assembling payroll information (recordkeeping). The human resources department is responsible for authorizing employee transactions, such as hiring, firing, and changes in pay rates and deductions. Segregating the recording and authorization functions helps prevent fraud.

Which of the following activities represents both an appropriate human resources department function and a deterrent to payroll fraud? A Collection and retention of unclaimed paychecks. B Authorization of overtime. C Authorization of additions and deletions from the payroll. D Distribution of paychecks.

D All of the answers are correct. The five principles that relate to the control environment are The organization demonstrates a commitment to integrity and ethical values; The board demonstrates independence from management and exercises oversight for internal control; Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities; The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives; and The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives.

Which of the following are elements of the control environment? A Assignment of authority and responsibility. B Organizational structure. C Integrity and ethical values. D All of the answers are correct.

B 1, 2, and 3. Organizations may use the work of external auditors to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the external auditors. Moreover, the external auditor may rely on the work of the internal audit activity in performing their work. In this case, the CAE needs to provide sufficient information to enable external auditors to understand the internal auditor's techniques, methods, and terminology to facilitate reliance by external auditors on work performed.

Which of the following are responsibilities of the chief audit executive (CAE)? 1. Coordinating activities with other providers of assurance and consulting services. 2. Understanding the work of external auditors. 3. Providing sufficient information to the external auditors to permit them to understand the internal auditors' work. A 1 and 2 only. B 1, 2, and 3. C 2 and 3 only. D 1 and 3 only.

C A plan of job classifications based on predefined evaluation criteria. Job classifications and grades are established during the job analysis phase and the general level of compensation in the community and in the industry must be determined. Compensation is then fixed based on the plan of job classifications, usually within a range for each grade. A range is necessary to allow for flexibility. Compensation should be low enough to avoid excess cost and to permit competitive pricing but high enough to attract needed personnel.

Which of the following aspects of the administration of a compensation program is the most important control in the long run? A An informal wage and salary policy to be competitive with the industry average. B A level of general compensation that is reasonably competitive. C A plan of job classifications based on predefined evaluation criteria. D A wage and salary review plan for individual employee compensation.

C Determine whether scope limitations impede the ability of the internal audit activity to execute its responsibilities. The CAE should report functionally to the board (audit committee) to achieve organizational independence and allow the internal audit activity to fulfill its responsibilities. Functional reporting to the board typically involves, among other things, making appropriate inquiries of management and the CAE to determine whether audit scope or budgetary limitations impede the ability of the internal audit activity to fulfill its responsibilities.

Which of the following audit committee activities is of the greatest benefit to the internal audit activity? A Assurance that the external auditor will rely on the work of the internal audit activity whenever possible. B Review and approval of engagement work programs. C Determine whether scope limitations impede the ability of the internal audit activity to execute its responsibilities. D Review and endorsement of all internal auditing engagement communications prior to their release

C Control is the result of proper planning, organizing, and directing by management. A control is "any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved" (The IIA Glossary). Thus, control is the result of proper planning, organizing, and directing by management.

Which of the following best defines control? A Controls are statements of what the organization chooses to accomplish. B Control accomplishes objectives and goals in an accurate, timely, and economical fashion. C Control is the result of proper planning, organizing, and directing by management. D Control is provided when cost-effective measures are taken to restrict deviations to a tolerable level.

C Expand activities to determine whether an investigation is warranted. An internal auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

Which of the following best describes an auditor's responsibility after noting some indicators of fraud? A Consult with external legal counsel to determine the course of action to be taken. B Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud. C Expand activities to determine whether an investigation is warranted. D Report the possibility of fraud to senior management and ask how to proceed.

Periodic internal review of the in-force list to evaluate the adequacy of insurance coverage. Obtaining insurance and periodically reviewing its adequacy are among management's responses to the findings of a risk assessment. Insurance coverage should be sufficient to ensure that the relevant assessed risks are managed in accordance with the organization's risk appetite.

Which of the following control procedures does an internal auditor expect to find during an engagement to evaluate risk management and insurance? Cutoff procedures with regard to insurance expense reporting. Policy of repetitive standard journal entries to record insurance expense. Required approval of all new insurance policies by the organization's CEO. Periodic internal review of the in-force list to evaluate the adequacy of insurance coverage.

D Evaluating the adequacy of controls to prevent fraud. Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of controls.

Which of the following describes one of the responsibilities of the internal auditor for the deterrence of fraud in an organization? A Prosecuting perpetrators of fraud. B Implementation of systems to discourage fraud. C Reporting suspected fraud to law enforcement personnel. D Evaluating the adequacy of controls to prevent fraud.

C Shipping documents are prenumbered and are independently accounted for and matched with sales invoices. Shipping documents are prepared at the time of shipment. They are prenumbered to facilitate detection of unrecorded shipments. A gap in the sequence of documents may indicate an irregularity. An employee outside the shipping department should account for these documents. Sales invoices are generated by the organization's computer system at the same time as the shipping documents and should have the same numbers. Thus, every shipping document should be matched with a sales invoice to ensure proper billing.

Which of the following ensures that all inventory shipments are billed to customers? A Sales invoices are prenumbered and are independently accounted for and traced to the sales journal. B Duties for recording sales transactions and maintaining customer account balances are separated. C Shipping documents are prenumbered and are independently accounted for and matched with sales invoices. D Customer billing complaints are investigated by the controller's office.

B The audit committee of the board consists of the chief executive officer, the chief financial officer, and a major shareholder. The audit committee has a control function because of its oversight of internal as well as external auditing. It should be made up of directors who are independent of management. The authority and independence of the audit committee strengthen the position of the internal audit activity.

Which of the following features of a large manufacturer's organizational structure is a control weakness? A The information systems department is headed by a vice president who reports directly to the president. B The audit committee of the board consists of the chief executive officer, the chief financial officer, and a major shareholder. C The chief financial officer is a vice president who reports to the chief executive officer. D The controller reports to the chief financial officer.

Oversight of the work of external auditors is the responsibility of the chief audit executive. Oversight of the work of external auditors, including coordination with the internal audit activity, is the responsibility of the board. Coordination of internal and external audit work is the responsibility of the CAE (Perf. Std. 2050).

Which of the following is a false statement about the relationship between internal auditors and external auditors? Oversight of the work of external auditors is the responsibility of the chief audit executive. Internal auditors may provide engagement work programs and working papers to external auditors. Internal and external auditors may exchange engagement communications and management letters. Sufficient meetings are scheduled between internal and external auditors to ensure timely and efficient completion of the work.

Inspection of completed goods. Feedback controls obtain information about completed activities. They permit improvement in future performance by learning from past mistakes. Thus, corrective action occurs after the fact. Inspection of completed goods is an example of a feedback control.

Which of the following is a feedback control? Close supervision of production-line workers. Inspection of completed goods. Measuring performance against a standard. Preventive maintenance.

C Takes no vacations and has refused promotion to vice president of finance. An employee who refuses to take vacations and turns down promotions is engaging in classic behavior that indicates the need to conceal an ongoing fraud.

Which of the following is an indicator of increased risk of fraud? The chief financial officer A Takes all vacations and has refused promotion to vice president of finance. B Takes all vacations and has just accepted a promotion to vice president of finance. C Takes no vacations and has refused promotion to vice president of finance. D Takes no vacations and has just accepted a promotion to vice president of finance.

C Emphasis on specific functions. The enterprise risk management approach set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) attempts to approach an organization as a whole instead of focusing on any specific area or risk.

Which of the following is closely related to traditional risk management instead of enterprise risk management (ERM)? A Achieving financial goals. B Rapid response to opportunities. C Emphasis on specific functions. D Organization-level view of risk.

Reactive Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which have occurred), or directive (to cause or encourage a desirable event to occur). "Reactive" is not a specified type of control. However, controls may be reactive in the sense that they detect an undesirable event and react to it or correct it.

Which of the following is not a type of control? Reactive. Preventive. Directive. Detective.

B The organization's vice president of operations. The audit committee consists of outside directors who are independent of management. Its purpose is to help keep external and internal auditors independent of management and to assure that the directors are exercising due care. The organization's vice president is not an outside director. The vice president of the local bank used by the organization, an academic specializing in business administration, and a retired executive of a firm that had been associated with the organization are all external parties who are usually independent of the organization's internal operations.

Which of the following is not an appropriate member of an audit committee? A The vice president of the local bank used by the organization. B The organization's vice president of operations. C A retired executive of a firm that had been associated with the organization. D An academic specializing in business administration.

Assignment of responsibility for deviations. The elements of control include (1) establishing standards for the operation to be controlled, (2) measuring performance against the standards, (3) examining and analyzing deviations, (4) taking corrective action, and (5) reappraising the standards based on experience. Thus, assigning responsibility for deviations found is not a part of the controlling function.

Which of the following is not implied by the definition of control? Assignment of responsibility for deviations. Measurement of progress toward goals. Uncovering of deviations from plans. Indication of the need for corrective action.

C It specifies the minimum resources needed for the internal audit activity. The charter formally defines the purpose, authority, and responsibility of the internal audit activity. Resource requirements are based on risk-based plans that are consistent with organizational objectives; they are not an appropriate topic to codify in the internal audit charter.

Which of the following is not true with regard to the internal audit charter? A It defines the authorities and responsibilities for the internal audit activity. B It provides a basis for evaluating the internal audit activity. C It specifies the minimum resources needed for the internal audit activity. D It should be approved by the board.

B Supervision of an internal auditor's work is performed throughout each audit engagement. The CAE develops and maintains a quality assurance and improvement program (Attr. Std. 1300) that includes (1) external assessments and (2) ongoing and periodic internal assessments. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity. Among the processes used in ongoing internal assessments is engagement planning and supervision (IG 1311).

Which of the following is only part of an internal audit activity's quality assurance program rather than being included as part of other responsibilities of the chief audit executive (CAE)? A The CAE provides information about and access to internal audit working papers to the external auditors to enable them to understand and determine the degree to which they may rely on the internal auditors' work. B Supervision of an internal auditor's work is performed throughout each audit engagement. C Management approves a formal charter establishing the purpose, authority, and responsibility of the internal audit activity. D Each individual internal auditor's performance is appraised at least annually.

A Providing a competitive selection of employee benefits. Internal auditors must have the knowledge, skills, and other competencies to perform their responsibilities. For example, they (1) might use the competency framework for self-assessment and (2) should demonstrate proficiency by obtaining professional certifications and qualifications (IG 1210, Proficiency). But a professional development program for internal auditors does not address employee compensation.

Which of the following items would not be an appropriate staffing issue? A Providing a competitive selection of employee benefits. B Providing continuing educational opportunities for each internal auditor. C Selecting qualified and competent individuals. D Appraising each internal auditor's performance at least annually.

D Purchasing stock in a target entity after overhearing an executive's discussion of a possible acquisition. Rule of Conduct 3.2 under the confidentiality principle states, "Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization."

Which of the following most likely constitutes a violation of The IIA's Code of Ethics by an internal auditor? A Deleting sensitive information from a final engagement communication at the request of senior management. B Investigating executive expense reports based completely on rumors of padding. C Discussing at a trade convention the organization's controls over its computer networks. D Purchasing stock in a target entity after overhearing an executive's discussion of a possible acquisition.

D Final settlements are negotiated after claims are developed and submitted. The claims handling process begins with prompt reporting by the affected operational unit of the organization of any basis for a claim. Prompt reporting is required to permit the insurer to take whatever steps it may deem necessary to reduce the ultimate compensable loss. The insurance function then cooperates with the operational unit to document and formally submit the claim to the carrier. Subsequently, the insurance function will be involved in any required review of the claim and negotiation of a settlement.

Which of the following policies and procedures is consistent with effective administration of the insurance function? A Policies are always placed with the carrier that offers the lowest rate for a specified level of coverage. B Billings for insurance coverage are received and payments disbursed by the insurance manager. C Policy coverages are adjusted each year by applying a price index to previous year coverages. D Final settlements are negotiated after claims are developed and submitted.

D Receiving reports are forwarded to purchasing where they are matched with purchase orders and sent to accounts payable. Purchasing and receiving should be organizationally independent. Moreover, comparing the purchase order and the receiving report should be the responsibility of a third person. Fraud perpetrated by a purchasing department employee could be concealed if (s)he is the first to obtain the receiving report.

Which of the following situations will cause an internal auditor to question the adequacy of controls over a purchasing function? A The original and one copy of the purchase order are mailed to the vendor. The copy on which the vendor acknowledges acceptance is returned to the purchasing department. B Unpaid voucher files and perpetual inventory records are independently maintained. C The accounts payable section prepares documentation for payments. D Receiving reports are forwarded to purchasing where they are matched with purchase orders and sent to accounts payable.

A None of the answers are correct. Objectivity is not adversely affected when the internal auditors recommend standards of control for systems or review procedures before they are implemented. Designing, installing, drafting procedures for, or operating systems is presumed to impair objectivity because of the conflict of professional interests.

Which of the following statements is an appropriate reason for the internal audit activity not to participate in the systems development process? A None of the answers are correct. B Participation will delay implementation of the project. C Recommendations prior to implementation will affect independence, and the internal auditors will not be able to perform an objective evaluation after the system is implemented. D Participation will cause the internal auditors to be labeled as partial owners of the application, and they will then have to share the blame for any problems that remain in the system.

A 1 only. The control environment includes, among other things, the element of human resource policies and practices. Thus, hiring, orientation, training, evaluation, counseling, promotion, compensation, and remedial actions must be considered by management.

Which of the following statements is correct regarding corporate compensation systems and related bonuses? -A bonus system should be considered part of the control environment of an organization and should be considered in formulating a report on internal control. -Compensation systems are not part of an organization's control system and should not be reported as such. -An audit of an organization's compensation system should be performed independently of an audit of the control system over other functions that impact corporate bonuses. A 1 only. B 2 and 3 only. C 3 only. D 2 only.

D Control self-assessment is not an approach to audit soft controls. One approach to auditing soft controls is control self-assessment, which is the involvement of management and staff in the assessment of internal controls within their work group.

Which of the following statements is not accurate with regard to soft controls? A Soft controls have become more necessary as technology advances have empowered employees. B The communication of ethical values and the fostering of mutual trust are soft controls in the CoCo model. C The COSO and CoCo models emphasize soft controls. D Control self-assessment is not an approach to audit soft controls.

B The chief audit executive should determine that appropriate follow-up and corrective action was taken by management when required regarding matters discussed in the external auditor's management letter. Internal auditors need access to the external auditors' presentation materials and management letters. Matters discussed in presentation materials and included in management letters need to be understood by the CAE and used as input to internal auditors in planning the areas to emphasize in future internal audit work. After review of management letters and initiation of any needed corrective action by appropriate members of senior management and the board, the CAE should ensure that appropriate follow-up and corrective actions have been taken.

Which of the following statements is true regarding coordination of internal and external auditing efforts? A The chief audit executive should not give information about illegal acts to an external auditor because external auditors may be required to report the matter to the board or regulatory agencies. B The chief audit executive should determine that appropriate follow-up and corrective action was taken by management when required regarding matters discussed in the external auditor's management letter. C Ownership and the confidentiality of the external auditor's working papers prohibit their review by internal auditors. D If internal auditors provide assistance to the external auditors in connection with the annual audit, such assistance is not subject to the Standards.

A The internal auditor of a company has more responsibility than the board for the company's corporate governance. Governance is the responsibility of the board. Internal audit's responsibility is to assess governance processes and make appropriate recommendations for improvement.

Which of the following statements regarding corporate governance is not correct? A The internal auditor of a company has more responsibility than the board for the company's corporate governance. B Corporate control mechanisms include internal and external mechanisms. C The dilution of shareholders' wealth resulting from employee stock options or employee stock bonuses is an accounting issue rather than a corporate governance issue. D The compensation scheme for management is part of the corporate control mechanisms.

D All of the answers are correct. An internal auditor's responsibilities for the detection of fraud include having sufficient knowledge to identify indicators that fraud may have been committed; being alert to opportunities, such as control weaknesses, that could allow fraud to occur; and evaluating the indicators of fraud sufficiently to determine whether any further action is needed or whether a fraud investigation should be recommended. Among the many such indicators are lack of timely and appropriate documentation (including information about authorization) for material transactions, suspicious lifestyle characteristics of employees in a position to commit fraud, and management's failure to display and communicate an appropriate attitude toward internal control.

Which of the following would indicate that fraud may be taking place in a marketing department? A A manager appears to be living a lifestyle that is in excess of what could be provided by a marketing manager's salary. B The control environment can best be described as "very loose." However, this attitude is justified by management on the grounds that it is needed for creativity. C There is no documentation for some fairly large expenditures made to a new vendor. D All of the answers are correct.

A Embezzlement. Fraud is defined in The IIA Glossary as "any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage." Embezzlement is the intentional appropriation of property entrusted to one's care. The embezzler converts property to his or her own use and conceals the theft.

Which of the following wrongful acts committed by an employee constitutes fraud? A Embezzlement. B Libel. C Harassment. D Assault.

Using only daily, close supervision and written memoranda. Formal administrative and technical audit manuals may not be needed by all internal audit entities. A small internal audit activity may be managed informally. Its audit staff may be directed and controlled through daily, close supervision and written memoranda. In a large internal audit activity, more formal and comprehensive policies and procedures are essential to guide the internal audit staff in the execution of the internal audit plan.

Which of the following, though not appropriate for use with a large internal audit activity, is an acceptable approach for managing a small internal audit activity? Preparing comprehensive policies and procedures. Using only daily, close supervision and written memoranda. Writing detailed instructions and guidelines for each engagement area. Developing technical manuals to guide performance

C Be in considerable detail. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work (Inter. Std. 2040). Thus, the policies of a relatively large internal audit activity are likely to be more detailed than those of a relatively small internal audit activity.

Which of the items below most likely reflects differences between the policies of a relatively large and a relatively small internal audit activity? The policies for the large activity should A Define the scope of internal auditing. B Contain the authority to carry out engagements. C Be in considerable detail. D Be specific as to activities to be carried out.

C Delinquent accounts are reviewed only by the sales manager. Internal control over accounts receivable begins with a proper segregation of duties. Thus, the cashier, who performs an asset custody function, should not be involved in recordkeeping. Accounts should be periodically confirmed by an auditor, and delinquent accounts should be reviewed by the head of accounts receivable and the credit manager. Customer statements should be mailed monthly by the accounts receivable department without allowing access to the statements by employees of the cashier's department. The sales manager should not be the only person to review delinquent accounts because (s)he may have an interest in not declaring an account uncollectible.

Which one of the following situations represents an internal control weakness in accounts receivable? A Customers' statements are mailed monthly by the accounts receivable department. B Internal auditors confirm customer accounts periodically. C Delinquent accounts are reviewed only by the sales manager. D The cashier is denied access to customers' records and monthly statements.

B Paychecks are distributed by the employees' immediate supervisor. Paychecks should not be distributed by supervisors because an unscrupulous person could terminate an employee and fail to report the termination. The supervisor could then clock in and out for the employee and keep the paycheck. A person unrelated to either payroll recordkeeping or the operating department should distribute checks.

Which one of the following situations represents an internal control weakness in the payroll department? A The timekeeping function is independent of the payroll department. B Paychecks are distributed by the employees' immediate supervisor. C Payroll department personnel are rotated in their duties. D Payroll records are reconciled with quarterly tax reports.

B Consider the relative materiality or significance of matters to which assurance procedures are applied. Exercising due professional care means applying the care and skill expected of a reasonably prudent and competent internal auditor (Attr. Std. 1220). Internal auditors must exercise due professional care by considering, among other things, the relative complexity, materiality, or significance of matters to which assurance procedures are applied (Impl. Std. 1220.A1).

With regard to the exercise of due professional care, an internal auditor should A Select procedures that are likely to provide absolute assurance that irregularities do not exist. B Consider the relative materiality or significance of matters to which assurance procedures are applied. C Emphasize the potential benefits of an engagement without regard to the cost. D Consider whether criteria have been established to determine whether goals are achieved, not whether those criteria are adequate.

Monitoring Monitoring is the process of assessing the quality of the system's performance over time. It is designed to ensure that internal controls continue to operate effectively.

Within the COSO Internal Control - Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? Control environment. Monitoring. Risk assessment. Information and communication.

CAE

____ is responsible for management of internal audit resources in a manner that ensures fulfillment of internal audit responsibilities.